GDPR has just had its first anniversary and while your mailbox is no longer full of companies asking that you still be friends and it all seems to have gone quiet don’t think that it’s gone away, or that after Brexit the rules won’t apply. GDPR may change after we leave the EU but it will very much still be there. If you didn’t take it seriously at the time then you really should start to think about how you manage your employees’ personal data.
Around 35% of SMEs still don’t understand GDPR legislation, or know they are not compliant but have not made any efforts to update their processes. The penalties for non-compliance start at up to €10 million, or 2% of annual global turnover, whichever is higher.
As an employer you collect certain information about your employees, this makes you a Data Controller which is permitted because processing data in order to manage employment is included as one of the justifiable legitimate reasons. But there are things you must do in order to be legally compliant whilst processing that data. If you have not yet taken any steps to make your business compliant then now is the time to make a start!
Here are some things that you may still need to do;
- Issue a Privacy Notice to each employee, worker or subcontractor. A Privacy Notice is a legal requirement, the purpose of the Privacy Notice is to let people know what data you hold about them, why and what you do with it
- Review recruitment procedures to ensure you are compliant in handing applicant data
- Update your Data Protection Policy, or put one in place if you don’t already have one
- Review your contracts and policies to make sure that they clearly refer to the processing of personal data
- Carry out a data audit on the personal data you process. This is where you can show in detail what you process, why you need to, what the legitimate reasoning is and how long you retain the data
- Carry out some good housekeeping to get rid of data you should no longer be holding
- Review your data security of all employee data in both hard and soft copy
- Draw up a plan of what you would need to do should a member of staff make a Subject Access Request, or a right to be forgotten request
- Draw up a plan of what you would need to do should there be a breach of data security for employee data
- Have a process where you gain the permission of a leaving employee that you can give references for them should you be contacted by a new employer
- Make sure you have a Processor Agreement in place with any organisations you share staff data with
Even if you completed everything ready for May 2018 now is the time to review what you have in place to make sure it is all still correct and up to date.
If you’re still unsure of what you need to do you can check on the ICO website to see if there are any areas that you could improve on. https://ico.org.uk/for-organisations/data-protection-self-assessment/controllers-checklist/
vivoHR have provided many of our clients with the HR documents needed to comply with the HR aspects of GDPR. We would be happy to help you if you need anything. Let us know what documents you need and we will be able to give you a quote.
Please note that we can only assist with HR data. If you process client data you will need to make sure you are aware of the guidelines for client information You may find the processor checklist helpful https://ico.org.uk/for-organisations/data-protection-self-assessment/processors-checklist