Breaching the law could subject a company to significant fines of up to €20 million, or 4% of an organisations’ global annual turnover, whichever is higher.
The major changes that GDPR have on HR information are:
- Data protection by design and default – A new approach to data that requires organisations to embed privacy considerations in both operational and strategic HR practices. Employers need to ensure that only personal data necessary for each specific purpose is processed. This includes ensuring that:
- only the minimum amount of personal data is collected and processed for a specific purpose;
• the extent of processing is limited to that necessary for each purpose;
• personal data is stored for no longer than necessary; and
• access to the data is restricted to that necessary for each purpose.
- Processing by consent – Many employers currently process your personal data based on consent. This approach has been increasingly criticised, as the validity of employee consent is questionable due to the imbalance of power in an employment relationship. Under GDPR consent must be “freely given, informed, specific and explicit”. Where your employer obtains consent in a written declaration that also concerns other matters, the request for consent must be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. This means that broad consents in employment contracts to process your data will not be valid. Further, the requirement that consent be freely given means that valid consent will generally be difficult to obtain in the employment context due to the imbalance of power.
- Legal basis for processing – There is a greater focus on the legal basis for processing personal data under the GDPR. As processing employee data on the basis of consent will be problematic, employers will need to rely on other grounds, including that processing is necessary for:
- compliance with a legal obligation;
• the performance of a contract; or
• the purposes of the legitimate interests of the employer or a third party.
If you were to object to processing based on legitimate interests, your employer cannot process the data unless it shows that its legitimate interests are sufficiently compelling to override your interests or rights, or that the purpose of processing is to establish or defend legal claims.
- Information for employees and job applicants – Under the GDPR, employers are required to provide more detailed information than under the Data Protection Act 1998 to employees and job applicants about the processing of their personal data. Under GDPR, information that employers must provide includes:
- the identity and contact details of the employer as a data controller;
• the data protection officer’s (DPO) contact details (if the organisation has a DPO);
• the purposes for which the data will be processed and the legal bases for processing, including, if relevant, the legitimate interests relied on;
• the categories of personal data to be processed;
• the recipients of the data;
• any transfer of the data outside the European Economic Area (EEA);
• the period of storage;
• the rights of data subjects, including the right to access, rectify and require erasure of data, the ability to withdraw consent or to object to processing, and the right to lodge a complaint with the supervisory authority;
• the consequences for the data subject of failing to provide data necessary to enter into a contract; and
• the existence of any automated decision-making and profiling, and the consequences for the data subject.
Employers must provide the information at the point of data collection. Where an employer wishes to process existing data for a new purpose, it must inform employees or job applicants of that further processing.
- Data subject access requests – You have an existing right under the Data Protection Act 1998 to obtain from your employer (or former employer):
- confirmation as to whether or not your personal data is being processed;
• information on your data, including the purpose of processing, categories of data collected and the recipients of such data; and
• a copy of the data being processed.
Under the GDPR, employers must provide the requested information within one month of the request (three months in the case of complex requests), and free of charge unless the request is manifestly unfounded or excessive. The GDPR places much more rigorous obligations on employers to ensure that there are systems in place to ensure that they comply with access rights, with particular emphasis placed on the clarity, transparency and accessibility of such systems.
- Accountability principle – One of the biggest changes under the GDPR is the new principle of accountability; the GDPR requires employers to demonstrate compliance with the data protection principles. This will mean enhanced obligations for employers, including a requirement to keep extensive internal records of data processing operations, which must be produced to the supervisory authority for inspection on request. Employers should create a data register to meet their record-keeping requirements. This should be an up-to-date written record containing information about all personal data processed by the organisation.
- Automated decision-making – You have a right under the GDPR not to be subject to a decision made solely by automated processing where a decision significantly affects you. This includes decisions based on profiling (any form of automated processing to evaluate certain personal aspects of individuals, in particular to analyse or predict indicators such as your performance at work, health, personal preferences, reliability and behaviour). The GDPR requirements regarding automated decision-making mean that employers should incorporate human intervention into automated processes that significantly affect employees unless they are relying on an exception to the rule.
Lots to think about but the good news is we are employment law experts – so you don’t have to be. If you have further questions on this, or any aspects of your employment, chat to our HR experts today.
FREE GUIDE to determine if you have a good Employment tribunal Case
Not sure if you have a strong case or even any case at all for an employment tribunal?
Not sure if you should make a fuss? Feel lost and unsure? Download our free guide and in less than 5 minutes you'll know the answers and if you have a claim that might be worth something.
How to write a powerful appeal letter so your employer takes you seriously.
Learn how to create a powerful appeal letter which makes your employer really consider your case and understand that you are a force to be reckoned with...even if you are no good at letter writing.
If you have been dismissed (sacked) or issued with a disciplinary warning this detailed and effective training enables you to write a fabulous and effective appeal letter. Includes, templates, timelines and training.
FREE Disciplinary Meeting Checklist Download
Never been to a disciplinary meeting? You're not alone! It's a scary thought. Worried about it being fair, how to act, what to say, what not to say and how to prepare? Download our free checklist so you go into the meeting feeling prepared, confident and able to challenge effectively. Our checklist will prepare you with everything you NEED to know.