The General Data Protection Regulation (GDPR) is due to be replacing the Data Protection Act from May 2018. This new regulation will pull together data protection laws from across the European Union (EU). The regulation is to apply to any company processing the personal data of individuals held within the EU.
For internal data, it is likely that employers will now have to provide detailed information, for example; how long an employees’ personal data will be stored for, if the data could be used outside of the UK and the right to have personal data deleted (‘right to be forgotten’) or amended in specific circumstances.
Becoming compliant is business critical as penalties of up €20m or 4 per cent of your annual turnover (globally) can be served on employers who breach the GDPR.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data.
It is important that you determine your lawful basis for processing personal data and to document this. It will be up to your data controller to identify and record the appropriate basis for the processing of collated data. Employees may have the right to be aware of who is processing their data and for what purpose.
Should a breach of data be recognised, the data protection authority will require employers to notify and report on key information within 72 hours of becoming aware of the breach. However, it may not be possible to investigate a breach fully within this time; establishing details of the breach, who may have been affected and on what scale could take far longer than 72 hours. It is with that in mind the GDPR can allow the option to submit information in stages.
The right to be forgotten
The right to erasure or ‘right to be forgotten’ is the option for an individual to request the deletion or removal of personal data. This right would allow an individual to request their personal data be deleted where there is no definite reason for its continued processing. It is not however an absolute right. In short, if the employee’s data is needed for payroll purposes, it might not be considered necessary to comply with a request for erasure.
Where conflict could arise is if a request from an employee to delete data is received but by law you must retain such payroll data for up to seven years.
In summary, it is important that you have a lawful basis for using personal data, you advise how and where this data is to be used, including third parties, and be ready to address requests for the right to be forgotten.
Are you ready?
In the countdown to what are some of the biggest changes to the handling and reporting on an employees’ personal data, are you GDPR ready?