|
Who does GDPR apply to ? GDPR applies to all companies within the EU that process and hold the personal data of employees or candidates residing in the EU . However , it also applies to organisations located outside of the EU if they offer goods or services to , or monitor the behaviour of , EU data subjects ( namely employees and job applicants ).
Key changes GDPR has introduced
1 . It is now much harder to rely on consent as a legal basis for processing personal data . Personal data is any information from which an individual can be identified from . This includes a name , identification number or online identifier . For consent to be valid , it must be freely given . 2 . Employers have one month to respond to Subject Access Requests , starting from the date of receipt , rather than the current
|
40 calendar day . These are often used by employees who wish to see a copy of the information their employer holds about them .
What does your business to do ?
A good place to start is to carry out an audit to identify what personal data you hold about employees and candidates , and where it came from . How and why personal data is processed should be clearly identified . This is to determine whether there ’ s a lawful basis for processing employees ’ personal data .
You also need to have appropriate documentation , including :
• Privacy notice . This informs employees on how and why their personal data will be used in the context of an employment relationship .
|
• Data protection policy . This is recommended to set out a company ’ s commitment to handling data under GDPR and data protection law and should normally be included in the employee handbook .
• Data retention policy . While GDPR doesn ’ t set out specific periods for retaining records relating to employment , it requires that data must not be kept for longer than necessary .
• Breach policy / procedure . This is important to help ensure compliance with the breach reporting requirements . Where there ’ s been a data breach which is likely to “ result in a risk for the rights and freedoms of individuals ”. You ’ ll have to notify and provide certain information to the data protection authority within 72 hours . The individuals whose data has been breached will also have to be notified .
|
• Consent form . On the rare occasion where a legal basis for data processing cannot be relied on , it will be necessary to have a separate consent form . It ’ s important this is worded clearly and relates to the specific data processing .
For more info : www . jelf . com
ian . sandham @ jelf . com 01225 444553
|