The 25th May 2018 is fast approaching. The new General Data Protection Regulations (GDPR) will come into force on this date, having implications for all employers.

We’ve been supporting our clients with their employee data audits, policies and privacy notices and wanted to share some key tips with you.

Employers determine how and why employee data is processed, making them the ‘Data Controller’. Any person who processes the data on the employer’s behalf is generally the ‘Data Processor’ i.e. HR software providers or consultants like Tassic. It’s your responsibility to ensure data processors acting on your behalf have taken all reasonable steps to comply.

One of the key changes GDPR brings is the emphasis on documenting compliance. We recommend that you carry out a data audit considering the following:

  1. Whose personal data do you hold? E.g. employees or contractors
  2. Type of Personal data? E.g. ‘Sensitive Personal Data’ or ‘Personal Data’?
  3. Why are you holding it? E.g. legal obligation or performance of employment contract
  4. Where did the data come from?
  5. Where is the data stored?
  6. Who has access? E.g. Recruiters or Payroll providers
  7. How long is it held for?

This data audit will form part of your privacy notice, explaining to the individual what information is being held, how, where, why and by whom.

Employers are 'Data Controllers' because they determine how and why employee data is processed

Start doing this:

  • Consider mapping data flows into, within, and from your organisation
  • Agree and document how long you’re going to hold data – this will vary depending on what the data is, so don’t rely on a blanket rule.
  • Ensure only those who need access are allowed to have access.
  • Work out what data you don’t need anymore, or don’t have the right to hang onto, and destroy it securely.
  • Consider moving electronic data storage to a secure online file store or database which people can log into, rather than emailing copies of documents
  • Think about how you can check that your data is accurate and up-to-date
  • Consider appointing a DPO (Data Protection Officer) or training a manager to handle data queries and processes

Stop doing this:

  • Adding to a never-ending list of personal data without regularly tidying this up and deleting those that you no longer need
  • Creating multiple copies of personal data by emailing, printing or copying it to different places.
  • Allowing people access to the data without a good reason
  • Allowing people to access data after the reason for accessing it has ended
  • Storing personal data insecurely, e.g. in unlocked cupboards, or on USB sticks or computers without password protection.

Remember, under GDPR it’s now going to be harder to claim consent on a blanket consent clause. You will either need to rely on an alternative justification for processing (e.g. Legitimate Interests) or give employees an opportunity to consent at each stage of processing. This means most data protection clauses in contracts of employment will need reviewing.

Non-compliance can carry fines of €20 or 4% of Global Turnover, whichever is higher. Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered.

If you need further advice or if you’d like us to draft your data audit, Data Protection policies or privacy notices, please get in touch.