B USINESS HELPDESK
GENERAL DATA PROTECTION REGULATIONS – THEY’RE COMING, READY OR NOT!
HELP DESK
Merchants are waking up to GDPR. The BMF’s employment lawyers Halborns answer some common questions.
“WE’RE A BUILDERS merchant with 70
employees and three sites. How will the GDPR affect our employees?” When is the GDPR in force? 25 May 2018, but you need to start preparing now. But we’re a small
business, surely the GDPR doesn’t apply to us? Unfortunately it applies to all organisations, whatever their size. Given that complaints can come from your employees, your customers or from the Information Commissioner (ICO) which is tasked with enforcing the GDPR, it’s also going to be one of the most highly policed sets of regulations ever.
What types of data does the GDPR cover? The GDPR is all about personal data; that’s data that include all of the personal information you hold about your employees from which national insurance numbers. It regulates how you obtain and safeguard that data, how you can use (process) it, when you have to amend or delete it and what the consequences are if you get it wrong.
Contractural consent Our employment contracts include the employee’s consent to process their personal data – isn’t us? The ICO generally prefers employers to avoid asking employees for consent to process their personal data – they prefer employers to rely on one of the other ‘lawful grounds’ for processing data (which include legitimate business interests and legal requirements). Where you decide that you are still going to go ahead and ask for consent bear in mind
8
that the requirements are changing under the GDPR. From May next year you’ll have to secure the employee’s signature (or evidence of their approval) and keep the terms of the consent separate from any others.
Employee rights What rights does the employee have? They can ask for a copy of their data (data subject access request) or a list of the data that you hold, ask for it to be deleted, limit what you do with the data and ask for it to be amended. From May next year, you’ll only have 30 days to comply with a subject access request so it’s a good idea to have your template responses ready and ensure that you’re clear with everyone as to what a ‘data subject access request’ looks like so that they don’t get missed. Do we need to tell employees what we’re doing with their data? Yes, in something called a ‘privacy notice’. The privacy notice needs to include how long you keep their data, who you share the data with (eg your payroll provider) and what you use their data for. The easiest way of communicating the information is in a data protection policy – which will need updating to take into account the additional requirements of a privacy notice.
we need to know about the personal data that we hold about employees? Yes, you need to ensure you don’t hold more data than you need (bearing in mind the purpose for which it was obtained). You also need to ensure it remains accurate (which is not always as easy as it sounds) and
The ICO generally prefers employers to avoid asking employees for consent to process their personal data – they prefer employers to rely on one of the other ‘lawful grounds’ for processing data.”
“
the Regulations through training, policies, disclosure to the ICO, audits and possibly the appointment of Where can I get help with GDPR issues? Halborns have developed a GDPR toolkit to help members get GDPR ready – further details can be obtained from info@
halborns.co.uk.
delete it when it’s no longer necessary (so it’s a good idea to have a ‘retention policy’. You’ve also got to store it securely and avoid transferring it outside of the EU without appropriate safeguards. If the security of the data is compromised you may need to notify the ICO within 72 hours of the breach and in some instances the employees themselves.
Are there any records or policies that we need to keep? Yes, at the very least you need a record of the categories of personal data that you hold, where it came from and who you share it with. If you’ve got 250 employees you need to capture a log of your ‘lawful grounds for processing the data’.
exposed to if we get things wrong? Between two and four per cent of global breaches of the GDPR. The more you show you tried to comply and took seriously
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Don’t forget that the provisions of the GDPR also apply to customer and other personal data that you hold.
Halborns are the employment lawyers supplying the BMF Intelligent Employment Plus service. The BMF Intelligent Employment Plus Service includes access to contracts of employment and a comprehensive employee handbook, as well as 100s of other documents, regular updates and unlimited 24/7 employment law lawyers.
For further details of any of the issues discussed in this article or the BMF Intelligent Employment Plus service please contact Halborns at info@
halborns.com or call 0115 718 0333.
January 2018 BMJ
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60
