If you have not updated your Company Policies in light of the new GDPR regulations contact us NOW! These important changes take effect on 25 May 2018 and you need to ensure your business is protected by updating your policies today!
In our increasingly interconnected world there's never been a better time for our personal information to be given extra protection. What are the implications for employers and employees?
Employers should be proceeding apace with updated policies and procedures, documentation (including the all important privacy notices), and training plans because the Information Commissioner’s Office (ICO) can impose fines for breaches, and there is a strict duty to report breaches if there’s a risk to the rights and freedoms of individuals. Data protection is of course all about respect for the individual.
Employers will already have policies and procedures in place thanks to the rules and principles of the Data Protection Act 1998. These protect digital data, and data stored on paper subject to principles based on fairness and lawfulness. The GDPR builds on these rules and principles, and so although compliance with GDPR will be onerous it should not be seen as a step change in the collection and storage of data, but a step up to better policies and procedures. This should build trust because employees will know the use and storage of their data is even more carefully regulated.
Consent must be obtained for the gathering and storage of personal data, and the reason for its gathering explained. And this of course includes data already held prior to GDPR coming into force. As data may only be retained for a specific purpose there will need to be procedures in place for the regular review of its storage. Employers might take this opportunity to update employment contracts. But as consent must involve employees having a real choice, and consent must be specific and freely given, it is doubtful whether a catchall clause will be appropriate.
In an employment context it is questionable whether consent can be freely given in all instances because, of course, employers are in a position of power. Consent is only one of six lawful bases for processing personal data. What are the alternatives to consent? Other lawful bases include the requirement to fulfil the employer’s side of the employment contract, or the obligation of the employer to comply with UK or EU law. There is also a classification of “legitimate interests”. Careful consideration should be given to ICO guidance on this issue. There is a helpful consultation document at ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf.
Employers must ensure employees are trained and ready for GDPR. In particular those involved in data storage (not forgetting CCTV), Human Resources and IT departments, and employees who work in marketing and with the organisation’s social media. Employees must also be given information about their rights under GDPR, including their right to see their data and to correct it if necessary, the right to withdraw any consent they have given, and the important right to be “forgotten”.
Within a recruitment process, care will have to be taken in the acquisition and storage of data relating to applicants. What is an appropriate period for storage of personal information relating to unsuccessful applicants in order to cover the risk of a Tribunal process? The retention of this personal information must be periodically reviewed. Moreover, candidates cannot be selected by means of an automated selection process, for example based on qualifications or experience, unless in certain special circumstances for example where explicit consent has been obtained.
 |
 |
 |
 |
 |
 |
|
