General Data Protection Regulations - Employee Record Keeping And Beyond

As you may be aware, the new General Data Protection Regulations (GDPR) come into place in May 2018, so now's the time to start embarking on your GDPR journey if you haven't done so already.

From an HR perspective this means that employers need to ensure they are ready for the new requirements in respect of their employee data and beyond. GDPR is an extension of existing UK data protection laws. This new legislation builds on the Data Protection Act (DPA) which employers already need to adhere to. DPA principles cover areas such as ensuring employers keep accurate, secure information. Guidance At the forefront of helping businesses understand this evolution of our data protection laws is the Information Commission’s Office (ICO). It has recently published GDPR Myths*, a series of blogs to help demystify the new regulations. In its latest blog, the ICO provides valuable advice and guidance on how employers need to respond if a data breach occurs. It reports that some employers have expressed concern that any data breach needs to be reported and that huge fines will ensue.

The ICO says this is not the case and that only breaches that are likely to risk people’s rights and freedoms will need to be reported. The ICO also points out that fines will be proportionate and that companies who are open, honest and report without undue delay can avoid fines. It is expected that by now larger companies will already have appointed a Data Protection Officer (DPO), however, smaller companies are also advised to consider who in their company is responsible for data. It’s advisable for all companies, no matter how small, to know who is responsible for data (again not just employee data) and who is responsible for reporting a breach should it occur. This starts to form a robust data governance approach.

Further still, forming a data protection working party or project team to audit what data is being processed is also advisable. Employee data processing Employee data processing will be a key focus for many companies and HR managers reading this article as some employers may be unsure as to whether there are any changes for storing their data. As all companies will be storing employee records in some way, shape or form, they are now advised to review these filing systems, including the security of the data they are processing in respect of employing people, to ensure robustness. Some companies are already writing to their third-party data processers asking for evidence of their compliance. Handlers of this data need to make sure they are processing data fairly and for legitimate purposes. Furthermore, if they are transferring it outside of the EEA there are specific safeguards in place. For those employers wondering if the UK’s exit from the EU will affect GDPR, the Government has already confirmed it won’t.

However, international companies operating across EU states will need to work out who their lead data protection supervisory board is. In summary, the good news is that where GDPR is concerned, common sense does prevail and that the processing of data where it is necessary for the performance of a contract will be a valid reason for processing.