What to do about GDPR
How does GDPR affect LEEA members as employers? Stephen Pumfrett ACII, Chartered Insurance Broker at Jelf Insurance Brokers, explains.
The General Data Protection Regulation (GDPR) came into force on 25May 2018. GDPR applies to all companies within the EU that process and hold employees’, candidates’ or customers’ personal data. It also applies to organisations outside of the EU that offer goods and services to, or monitor the behaviour of, EU data subjects such as employees and job applicants.
Many LEEA member companies have trade outside of the UK. So with Brexit being imminent, it’s important to ensure international consistency with data protection. If you haven’t already, now is the time to make sure you are compliant.
What is personal data?
Personal data is any information that can identify an individual. This could be their name, identification number or online identifier. In other words, if it is possible to identify a person directly from the data you have, then that could be personal data. But even if the person is identifiable by that data, it is not personal data unless it “relates” to an individual1. See the Information Commissioner’s Office website at ico.org.uk for more details about personal data.
Employee data and consent
When processing personal data, the individual can give their consent for this to happen. However, under GDPR consent must be freely given. With the relationship between and employer and employee it can be difficult to show that an employee has freely given their consent. So you may need to rely on other legal bases for processing their personal data.
An employee can request to see a copy of the information you hold about them. But the response time for you to provide this has now been reduced to one month. You can however extend this by up to two months where the request is complex or excessive. The copy you provide to your employees should be given free of charge, however if the request is unfounded or excessive, a reasonable fee may be charged.
What do you need to do?
You should have already carried out an audit to identify the personal data you hold about your employees and candidates and where the data came from. You need to be able to clearly identify why personal data is being processed, so it is clear that there is a legal basis for processing your employees’ personal data.
You also need to have the appropriate documentation:
- Privacy notice
This lets your employees know how and why their personal data is being used in the context of their employment relationship. You now also need to provide employees and job applicants with more information about the data you hold including: how long it will be stored; if it’s transferred to other countries; and information about their rights to have their personal data deleted or amended. - Data protection policy
This is recommended to describe your company’s commitment to handling data under GDPR and data protection law. This should be included in your employee handbook, but your privacy notice can be used in this policy. - Data retention policy
GDPR requires that any data you hold must not be kept for longer than necessary. You must set your own retention time limits based on law and best practice, and it’s useful to set this out in a policy. - Breach policy or procedure
This policy helps to ensure compliance with the breach reporting requirements. When there has been a data breach which could “result in a risk for the rights and freedoms of individuals”2, you must notify the data protection authority within 72 hours. If you are in breach of GDPR you can be fined up to 4% of their annual global turnover or €20m – whichever is greater. - Consent form
If you are in a situation where the legal basis for processing data can’t be relied upon, you’ll need to have a separate consent form.
If your company regularly monitors or processes sensitive data on a large scale as a core activity, you will need to appoint a Data Protection Officer (DPO). Your DPO will advise on GDPR obligations, check compliance and liaise with the data protection authority.
If you need guidance or support in relation to these changes, our employment law specialists at Jelf can help. Visit jelf.com or contact Stephen.Pumfrett@jelf.com.
This information is provided for the purposes of general interest and is not intended to apply to specific circumstances. Reasonable steps have been taken to check accuracy at the time of writing but we make no representation as to future accuracy. This information does not constitute legal or regulatory advice. We are not qualified to provide, and will not provide, legal or regulatory advice. We recommend that you obtain your own such specific legal or regulatory advice on matters such as GDPR from relevant professional advisers
