|
Who does GDPR apply to? GDPR applies to all companies within the EU that process and hold the personal data of employees or candidates residing in the EU. However, it also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects( namely employees and job applicants).
Key changes GDPR has introduced
1. It is now much harder to rely on consent as a legal basis for processing personal data. Personal data is any information from which an individual can be identified from. This includes a name, identification number or online identifier. For consent to be valid, it must be freely given. 2. Employers have one month to respond to Subject Access Requests, starting from the date of receipt, rather than the current
|
40 calendar day. These are often used by employees who wish to see a copy of the information their employer holds about them.
What does your business to do?
A good place to start is to carry out an audit to identify what personal data you hold about employees and candidates, and where it came from. How and why personal data is processed should be clearly identified. This is to determine whether there’ s a lawful basis for processing employees’ personal data.
You also need to have appropriate documentation, including:
• Privacy notice. This informs employees on how and why their personal data will be used in the context of an employment relationship.
|
• Data protection policy. This is recommended to set out a company’ s commitment to handling data under GDPR and data protection law and should normally be included in the employee handbook.
• Data retention policy. While GDPR doesn’ t set out specific periods for retaining records relating to employment, it requires that data must not be kept for longer than necessary.
• Breach policy / procedure. This is important to help ensure compliance with the breach reporting requirements. Where there’ s been a data breach which is likely to“ result in a risk for the rights and freedoms of individuals”. You’ ll have to notify and provide certain information to the data protection authority within 72 hours. The individuals whose data has been breached will also have to be notified.
|
• Consent form. On the rare occasion where a legal basis for data processing cannot be relied on, it will be necessary to have a separate consent form. It’ s important this is worded clearly and relates to the specific data processing.
For more info: www. jelf. com
ian. sandham @ jelf. com 01225 444553
|