With just over a week to go before GDPR (the General Data Protection Regulation) becomes law, here’s a useful guide to the initial actions employers need to take – helpfully broken down into 7 key steps by our HR partners at West HR…
Businesses across the length and breadth of the UK are busy preparing for how GDPR affects their use and storage of customer data. But it’s crucial to remember that the definition of ‘personal data’ under GDPR also applies to all personal data held about your employees (and potential employees) in HR systems and files anywhere in your business.
It’s also important to understand that certain categories of ‘personal data’ are subject to even more strict rules regarding collection and processing. These ‘special’ categories include things like racial or ethnic origin, sexual orientation and health/medical information.
Here are 7 key steps for the initial actions you should be taking as an employer, to make sure your processes for collecting, storing and using your employee personal data don’t fall foul of the new GDPR regulations:
Step 1: Data Audit
Conduct a full data audit of what staff data you hold, where you store it, why you hold it, who has access, and how long you keep it for. This may be quite a challenge if you store your personnel records in different locations, but it’s a crucial first step because it will inform all the other documents and records you will need to demonstrate your compliance with GDPR. West HR can provide a template to give you hints and tips on where to look and what to capture.
Step 2: Duplication
Your data audit will identify areas where you store the same employee personal information in more than one place. While some duplication of data is unavoidable to ensure the smooth running of your business, it’s important to understand that the more duplication there is, the harder it is to keep it up to date and delete it when it is no longer required. Speak to operational teams and other data users within your organisation to find ways to hold employee data in a shared location, so the information is only ever stored in one place, with secure and appropriate access by different teams and functions when needed.
Step 3: Privacy Statements
For employee data, you’ll need to write two different privacy statements – one for job applicants, and one for employees. Your privacy statement is a clear explanation to your data subjects (employees and job applicants) of what data you hold, why you hold it, what you will use if for, and how long you will keep it.
Step 4: Document Review
Your existing employee documentation will need to be reviewed to remove all but a few references to consent and the outgoing Data Protection Act (1998). You’ll also need to look at any confidentiality, discipline and social media policies, updating them where necessary to reflect the new GDPR standards.
Step 5: Staff Training
As an employer in the new world of GDPR, you’re not only responsible for your company’s systems and procedures, but also for the actions of your staff. All your employees will need overall GDPR awareness training – and any staff members who work with personal data will need more detailed specific training on what they need to do to comply with the new regulations.
Step 6: Procedural Review
Check when and how you are communicating your privacy notices to employees and job applicants – make sure that anyone who provides you with personal information knows why you are collecting it, what you will do with it, and how long it will be kept for. You also need to implement robust procedures for dealing with requests for data changes/updates, Subject Access Requests, and data breaches so you can respond appropriately within the new timescales set out in GDPR.
Step 7: Deletion Procedure
An important part of GDPR is not keeping personal data for longer than it is needed. Job applicant details are generally deleted after 6 months, and employee details are normally only retained for 6 years after their employment ends. Make sure you have a robust process for deleting personal data in line with the new regulations – and include a regular audit of personal files to ensure you aren’t storing any information you no longer have a use for.
For more information about GDPR and how it affects your business, check out these other useful resources:
- Is your website GDPR ready? – a handy guide from Ketchup Marketing to how GDPR affects data collection via your website
- Data Protection for the 21st Century – more details about the employment aspects of GDPR, from West HR
For one-to-one guidance and support with preparing your HR records and employee personal data for GDPR, contact West HR.