The key aim of the GDPR is transparency and openness, alongside the general data protection principles.
When you are reviewing your policies and current practices, it is important to put yourself in the position of an employee – a ‘data subject’. Ensure that the information you have provided is clear, concise, understandable and accessible so that it plainly explains what data you will collect about them, what it will be used for, the lawful basis on which you will be processing the information and who you will provide the information to.
Actions points for employers and HR professionals
The most important issue that employers and HR professionals need to think about now is undertaking an audit. Gather information on what employee data you hold, how you obtained it, who you share it with and what you use it for.
For ease, below is a checklist of the things you should be thinking about now:
- Assess the legal justifications/basis on which you hold data. Consider different bases for different categories of information, given the difficulties associated with using consent as the basis going forwards
- Consider how long you need to keep personal data for
- Review and update your incident response procedures to ensure you can comply with the timescales set down in the GDPR and that there is a clear procedure to follow in the event of data breaches
- Review existing data protection policies and importantly, contracts of employment to see if any updating is required or variation of contracts
- Update policies to reflect the new subject access request requirements
- Consider implementing training for all HR managers and staff and consider introducing an induction programme for new starters that specifically refers to GDPR
- Draft privacy notices that account for the additional information that now must be provided to employees. Consider how to provide this information to other data subjects whose data you process who may not be employees, for example job applicants or employees’ next of kin
This briefing is for guidance purposes only. RadcliffesLeBrasseur accept no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommend that appropriate legal advice be taken having regard to a client's own particular circumstances.