A more stringent data protection regime comes into force on 25 May 2018 under the General Data Protection Regulation ("GDPR"), with rigorous reporting requirements and, potentially, heavier fines.
The new data protection principles
Personal data i.e. that which identifies an individual, must be processed in accordance with the following principles:
lawfulness, fairness and transparency;
purpose limitation;
data minimisation;
accuracy;
storage limitation;
integrity and confidentiality; and
accountability.
Personal data processed by an employer will be extensive, including information on recruitment, sickness and administrative data.
Lawful processing
Processing will be lawful where an employee has given their consent. However, consent must be freely given, specific and informed, and it will be no longer possible for the employee to provide consent under their contract. One way to ensure you have the employee’s consent will be to use separate consent forms.
Processing will also be lawful where it is necessary for the legitimate interests of the employer, for the performance of the contract or compliance with a legal obligation; such as processing data to ensure employees are paid.
The basis and reasons for the processing should be explained in a data protection policy. Policies and forms should be clear, comprehensive and understandable.
The policy should cover who will receive personal data; the data retention period; the employee’s rights; their right to withdraw consent to processing and their right to complain to the regulator.
How can I prepare?
– ensure you, and your employees, understand the requirements of the GDPR, particularly those relating to individual rights;
– be clear of the legal basis for the processing of all your employee information;
– carry out an information audit so that you know what information you hold;
– update your current policies (including your disciplinary policy) and ensure you have appropriate consent forms drawn up; and
– consider how you will deal with a subject access request and data breaches within the new timescales.