General Data Protection Regulation (GDPR) – employee record keeping and beyond

10 October 2017

In ‘General Data Protection Regulation – what payroll managers need to know’ we discussed the lawful processing of data and GDPR in respect of payroll data. Now, we begin to look at GDPR from a HR perspective to ensure employers are ready for the new requirements in respect of their employee data and beyond. This will form part of a continuous focus on this hot topic until May 2018 when GDPR goes live. We appreciate many companies may not yet of begun their GDPR journeys, so we will be offering advice and guidance in bite sized chunks. We will also help to signpost employers to useful information which extends beyond the processing of employee data.

GDPR is itself an extension of existing UK data protection laws. This new legislation builds on the Data Protection Act (DPA) which employers already need to adhere to. DPA principles cover areas such as ensuring employers keep accurate, secure information.

The ICO (Information Commission's Office) are at the forefront of helping organisations understand this evolution of our data protection laws. They recently published GDPR Myths. This series of blogs helps to demystify the new regulations.

Data breach – what an employer needs to do?

In ICO’s latest blog they provide valuable advice and guidance on how employers need to respond if a data breach occurs. The report that some employers have expressed concern that any data breach needs to be reported and that huge fines will ensue. The ICO say this is not the case and that only breaches that are likely to risk people’s rights and freedoms will need to be reported.

The ICO also point out that fines will be proportionate and that companies who are open, honest and report without undue delay can avoid fines. It is expected that by now, larger organisations will already have appointed a Data Protection Officer (DPO). However, smaller organisations are also advised to consider who in their organisation is responsible for data. We would advise all organisations, no matter how small, to know who is responsible for data (again not just employee data) and who is responsible for reporting a breach should it occur. This starts to form a robust data governance approach.

Employee data processing

Turning the discussion back to employee data processing, as this will be a key focus for many organisations, some employers may be uneasy on if there are any changes for storing their data.

All organisations will be storing employee records in some way, shape or form; so are now advised to review these filing systems, including the security of the data they are processing in respect of employing people, to ensure robustness. We have already observed some organisations writing to their third-party data processers asking for evidence of their compliance. Handlers of this data need to make sure they are processing data fairly and for legitimate purposes. Furthermore, if they are transferring it outside of the EEA there are specific safeguards in place.

For those employers wondering if the UK's exit from the EU will affect GDPR the government has already confirmed it will not. However, please note that International companies operating across EU states will need to work out who their lead data protection supervisory board is.

Further still, forming a data protection working party or project team to audit what data is being processed is also advisable. Steve Snaith and his team in risk assurance are already helping organisations with data mapping and auditing. 

In summary, the good news is that common sense does prevail and that the processing of data where it is necessary for the performance of a contract will be a valid reason for processing. If you have any queries or questions in relation to any of the points made please contact your HR Consultant or Stephen Sweetlove for further advice and guidance. We will continue to focus on this topic as we approach next year tackling other aspects of the GDPR in further detail; such as consent, the right to be forgotten, and subject access requests.