What is GDPR?
Let’s start with the basics. GDPR stands for General Data Protection Regulation (GDPR) and is a set of provisions that in 2018 were incorporated into the Data Protection Act. In an HR context GDPR relates to how businesses collect, store and use employee data. The legislation is lengthy but the following overview will provide you with a basic understanding of the regulations and how to effectively manage GDPR in HR.
Key Principles
GDPR sets out the following seven key principles which are absolutely central to effective data protection and these principles act as the basis for best practice in correctly handling employee data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Full definitions of these principles can be found at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/
Complying With GDPR
GDPR compliance and responsibility within a business will more often than not fall to HR, so HR professionals need to have a good understanding of the regulations and how to apply them. The most important tasks for HR when it comes to effectively managing GDPR are as follows:
Policies
Your business should have a specific GDPR policy which sets out general information about GDPR as well as what is known as a privacy notice so that employees understand why you collect their data, what data you collect, how it is used and stored and what their rights are. These policies should be communicated and readily available to staff. It is good practice to include an overview of the GDPR policy as part of the induction process for new starters as well as regular training for existing employees on the policy and GDPR in general.
Working Practices
It is essential that employers only collect employee data that they absolutely need, that they have consent to process that data and that it is only retained for as long as is necessary. Your business should therefore ensure that its day to day working practices reflect these requirements, for example staff should be clear about what data they are supplying and what you will do with it. Having a data retention schedule is also good practice but you should ensure that it is regularly checked and that data is securely deleted or disposed of once it is no longer needed. You should also assign a suitably trained and knowledgeable member of your team as the Data Protection Officer (DPO) so that staff know who to speak to if they have queries or concerns and so that there is a nominated person to deal with Subject Access Requests or data breaches should they arise.
Security
Keeping data secure is of paramount importance whatever format you hold data in. If you keep data in hard copies make sure that you have a clear desk policy and lockable, non-portable storage to keep that data in. Likewise, if you store data electronically you should protect that data through appropriate cyber security and always ensure that only those people who genuinely need access to the data in order to perform their roles have it.
Getting It Wrong
If GDPR is not managed effectively or appropriately then the consequences can be wide ranging. If staff believe that their data is not being collected, used or stored correctly this may result in grievances and loss of trust from staff in you as their employer. In such instances staff can raise issues through your grievance process or even make a report to the Information Commissioner’s Office and this could result in investigations which can be stressful and time consuming for all concerned. If a business is found to have breached GDPR then this could result in reputational damage and the fines can also be significant. For example, H&M were fined approximately £30.4 million in 2020 for unlawfully collecting and storing information about employees’ families, religions and medical history. Whilst H&M is an extreme example there are set penalty levels. Infringements deemed to be less severe can lead to a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. More serious infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
As we now live and work in an age where data is handled and used so frequently it is vital that employers are aware of their responsibilities and are able to safeguard the privacy and security of the data they hold in order to protect the rights of employees and to be compliant with the law.
Do you have any questions about today’s blog, need help in becoming legally compliant with contracts/policies or can we support you in taking away any people pains to give you peace of mind?
If you answered yes to any of the above, just give us a call at CUBE HR on 01282 678321, or book in a FREE 30 Minute HR Health Check here FREE HR Health Check and we’ll happily give your business a full HR overview with our personal recommendations absolutely FREE!
Why not also check out our blog on a similar topic What You Need To Know About Staff Handbooks
We also have a YouTube channel with loads of handy videos outlining various HR related scenarios.
