The General Data Protection Regulations (GDPR) will come into force on 25th May 2018. This will supersede the Data Protection Act and will directly impact the UK, even after the UK’s likely exit from the EU.
There will be a range of implications to the way you manage your business, not least in the way you manage your people.
It’s important, if you’ve not already, to audit your policies and procedures to determine what changes need to be made in your HR processes.
If you’ve got existing IT infrastructure in place you need to be reviewing it and ensuring it is fit for purpose in this new world. This is particularly important as the fine for non-compliance range up to €20 million or 4% of a company’s annual worldwide turnover, whichever is greater.
- The person responsible for how data is processed (legally to be known as the Data Controller) will have to provide much more data about how data is being used.
- Companies will need to acquire explicit consent to process data
- Data Protection Officers will have to be appointed by organisations if they process personal data on a large scale (if you’ve got a lot of employees, this means you too)
If you’ve got employees these regulations will impact you in a number of different ways. You will have to be careful about how you store the data during the recruitment process, through the course of employment and once contracts are terminated.
This means that employers will have to take many more steps than they would have done in order to ensure employees have expressly given their consent to the use of their data. And the operative word here is express. Whereas previously a clause in the contract of employment would have been enough, now you should have a separate form for which they opt-in.
It’s also essential that your data protection policies are not only audited but once they’ve been updated, they need to be communicated to all your employees.
You’ll probably have to update your equal opportunities policies as well. As you can only store personal information for as long as required, you will only be able to store some sensitive personal information for the duration of pre-selection checks.
Also, if you use any kind of automation in your selection process you should be additionally careful as employees can’t be solely assessed by automated systems.
The regulations are very prescriptive when it comes to “fair processing notices” and employees need to be informed of their right to refuse the processing of their personal information.
In the old model employees would have had to pay a fee to access their data, however, it must now be freely available to them and you should make sure that you clearly signpost to your employees how they can get access to this data.
In addition to ensuring their HR software allows them to access data, businesses will need to be clear that their HR software and other data systems will enable them to delete their data, thus ensuring they are compliant with the data subjects new “Right to be Forgotten”.
If you’ve not yet started to think about how your people management will be impacted by this change of regulations it’s probably time to start thinking about it. Being proactive in this area could help overcome any potential issues further down the line. Afterall, any mistakes with the security of personal employee data could be too detrimental to your business.