This document outlines the key concepts and principles around controlling and processing data under the General Data Protection Regulation. Given the strengthened obligations under the GDPR to ensure the adequacy of data protection in international data transfers, this will be an important issue to resolve. Workplace Surveillance – the basics. You can also contact your local Citizens Information Centre or Request a call back from an information officer. carry out a risk assessment of data systems and act on the results, maintain up-to-date security systems (for example, using firewalls and encryption technology), restrict access to personal data to those who need it, think about the purpose for retaining the data, consider whether there is a legal requirement to keep the data for a period of time (tax records, for example). Data subjects’ rights are broadly recognisable, as are restrictions on processing data, but there is a new right to be forgotten. While many companies have been working to ensure compliance with respect to their customer and vendor data, one extremely tricky area that must not be overlooked is the GDPR’s application to employee/HR information. The purpose of the GDPR is to further harmonize a higher level of protection of personal data. Employers will need to tell employees why the organisation is collecting the information, what is going to happen to it, who will see it, and so on. Employers must act with caution and consider the requirements of the GDPR in addition to evolving national data protection rules. The GDPR’s data protection principles are similar to those under the DPA (except there are six, instead of the current eight). General Data Protection Regulation Summary. Employers should have a Our employment law updates and factsheets keep you up to date and informed on key employment law issues, © Copyright Chartered Institute of Personnel and Development 2020, A3 The Locks, Charlotte Quay Dock, Dublin 4, Ireland. Organisations will need to check whether they are transferring data overseas, or using cloud-based HR systems whose servers are not located in the UK, ensure personal data is only transferred with adequate safeguards in place and provide employees with significantly more detail than hitherto on these measures. You must report data breaches to the Data Protection Commission (DPC) within The Bill does not repeal the existing 1988 or 2003 Acts but amends them. departments, organisations involved in large-scale data processing, and This factsheet for CIPD members outlines what’s changing and what’s staying the same, new rights for individuals (such as the right to be forgotten), moving from consent to other lawful grounds for processing employee data, dealing with subject access requests (SARs), working with third parties such as payroll providers, keeping records and reporting data breaches to the Data Protection Commissioner. VOIGHT, P. and von dem BUSSCHE, A. Log in to view more of this content. What Does This Mean For Intranet and Digital Workplace Specialists? providers to process employee data will be responsible for ensuring the third GDPR requires that certain information must be supplied to job candidates, Data portability – this allows them to get data from their employer and consider what documentation must be prepared or updated, review policies and processes and decide which to change (different policies may be needed for employees and managers), reinforce the changes through training (and keep attendance records). Currently the timeframe for responses is 40 days. think about what needs to be shown to whom to demonstrate compliance. While it may seem to be obvious to use biometrics at the workplace for certain purposes, there are a number of factors which need to be taken into account from a privacy perspective. giving consent. task it was collected for, or as required by law. 20100827. In addition, the GDPR requires that companies and governmental institutions be able to prove their implementation of protection mechanisms to secure personal data on their mobile terminal devices. You should make an inventory of all the personal data that you hold. hospital treating them after a serious road accident). unambiguous’. Employers may also be required to inform data subjects affected by the breach (for example, where there has been a breach of their personal data, such as it being transferred to a third party not compliant with the GDPR). make sure SARs are dealt with as efficiently as possible. You need to be so? A data subject can withdraw consent at any time, must also comply with GDPR obligations about transferring data outside of the The Committee stage of the Bill has recommended keeping public bodies in scope for administrative fines. (2017) The road to GDPR compliance. Lewis Silkin. Protecting your employees data The EU General Data Protection Regulations (GDPR) are coming into force in May 2018, the emphasis is on protecting internet consumer data, however, employers should be mindful that their employee data will also fall under GDPR. Because the GDPR requires data protection and privacy by design and default, organisations need to build appropriate privacy requirements into their day-to-day operations and notify the Commission, and any individuals affected, if certain types of data breach occur. The GDPR rules on transferring employee data across borders look much the same as those under the DPA, although Brexit may have an impact further down the line. informed of the purpose and use of their personal data. The GDPR requires businesses to demonstrate their compliance with the data protection principles and states explicitly that it is an organisation’s responsibility to do so. Legal Island is delighted to be working in partnership with Worthingtons Solicitors to include a bespoke policy bundle FREE of charge to organisations when purchasing our Data Protection in the Workplace or Cyber Security in the Workplace eLearning training for 20+ staff members. Employers must have procedures in place to respond to personal data access Employees must understand their responsibilities under data protection law clear and accessible and may be a privacy notice on the website and a letter to This regulation significantly increases employers' obligations and this obligation. be able to show how you meet data protection principles. Organisations using third parties, such as payroll providers, external HR resource providers and recruitment agencies to process employee data will be responsible for ensuring the third party is GDPR compliant. aware of your obligations when requesting consent from employees. Smaller employers must record all their data processing activities. General Data Protection Regulation (GDPR), General In addition, an employer may process employee data with regard to the work environment … There is further detailed Workplace and GDPR Compliance. Employees have a number of rights under GDPR, including the right to: As an employer, you must be transparent about how you are using and carry out large scale processing of special categories of data or data relating to criminal convictions and offences. The regulation emanates from the European Union (EU) and is the biggest change to data protection law in over 20 years. Springer. Where employers have been using consent as a legal basis for processing personal data, it will remain valid, provided it meets GDPR requirements. given a clear explanation of how it will be treated. Before an employee gives consent to have their data processed, the employer protect the employee’s or another individual’s vital interests (for example, medical data during a health emergency), carry out a task in the public interest, or in exercising official authority vested in the employer. Consent is not necessarily required, but the organisation must put in place safeguards on confidentiality. It applies not only to organisations inside the EU but also to those outside providing goods or services, or monitoring browsing behaviour, within Member States. You in an employment context), Complying with a legal obligation (For example, a statutory requirement If it leaves, the UK's options may be limited as it will need to meet the requirements of the EU (whatever they may be) in order to process EU data. There are also greater transparency obligations. Breaches that may harm a HR has a crucial role to play in achieving the new goal of data protection by design and default. policies and procedures in place. This information must be Data must be protected by ‘appropriate technical and organisational must show that they told employees why their personal data is being collected, And if you’re not sure who your audience is or how much information they provide, it wo… (2017) The EU General Data Protection Regulation (GDPR): a practical guide. It may be possible to avoid sending pers… 22 Dec 2020. Data must be kept secure, for example, by using anonymisation, Marketers should have the May 25, 2018 deadline marked in their calendars. are consenting to have their data processed and should not be forced into The size of the organisation, how it operates, the volume and nature of personal information processed, and the potential harm that could result from a security breach, are all relevant. Running parallel with this is a new emphasis on accountability, and this is not just a tick-box exercise. Find out more from New Skills Academy on, the UK's favourite course comparison site! Awards: Recognising excellence in people management, GDPR - 11 things you need to do in your workplace, processed lawfully, fairly and transparently, collected for specified, explicit and legitimate purposes, adequate, relevant and limited to what is necessary, accurate and kept up to date where necessary, kept for no longer than is necessary where data subjects are identifiable. ensure and demonstrate compliance (for example, staff training on internal data protection policies, auditing processing activities, and reviewing HR policies), appoint a data protection officer (DPO) where appropriate, only collect personal data that is adequate, relevant and necessary, remove names from data (anonymisation) or use data encryption to anonymise it (pseudonymisation conceals identities but allows them to be recovered), be open with employees about processing their data and allow them to monitor that processing. What personal data you will be collecting (or if it will be collected by face significant penalties if your practices are in breach of GDPR. scientific or historical research. Officer, for example, public authorities and bodies, government Breaches of the GDPR may be subject to fines of up to €20M, or 4% of global annual turnover, whichever is the greater, and staying compliant is likely to lead to additional costs and administration. to keep employee records), Processing is necessary to comply with the employee’s vital interests. General Data Protection Regulation (GDPR) came into force across the EU on In less than three months, all businesses and organisations across Europe that handle customer data will have to comply with the General Data Protection Regulation (GDPR). (For example, on matters of pay you should contact the DPC. The GDPR should have a positive impact on the public and companies forced to update current systems. The GDPR regime imposes much more stringent requirements on employers than the previous law and, as such, this poses a real challenge for HR professionals to ensure that they are processing personal data in a ‘fair, lawful and transparent’ way and that they are complying with all applicable documentation and accountability requirements. test these security measures and be able to show that they have complied with Please note that some of our resources are for members only. Registered Charity no. This can be extended by a further 2 You would be better off using either: Within this Data Processing Addendum, “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679), and “Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Processing” shall have the same meanings as are defined in the GDPR. CIPD members can use our online journals to find articles from over 300 journal titles relevant to HR. Micro Focus - HPE Software. Read more about the General Most of GDPR’s requirements fall on data controllers. Identifying an alternative lawful ground for processing employee data is unlikely to be difficult (for example, collecting and holding bank details in order to pay a salary as part of an employment contract) but the range of employee data collected, the variety of reasons for collecting it, and uses it will be put to, pose a bigger problem. If you have a question about this topic you can contact the Citizens Information Phone Service on 0761 07 4000 (Monday to Friday, 9am to 8pm). Employee training on data protection policies takes place once The Commission can demand to see these records at any time, and employers need to be able to pull these out quickly in the event of complaint or disciplinary offence, for example. Co-Author: data they have is inaccurate or incomplete, Have their personal data erased by the data controller, Restrict a data controller from processing their data if they consider it (For example, where an individual’s medical history is disclosed to the The GDPR If employers wish to install all types of CCTV cameras in the workplace, they must take the following actions in order to adhere to UK privacy and data protection laws (GDPR): Employers must register as a data controller by notifying the ICO and outline the purpose of using CCTV at work. Your organisation can be inspected and could required consent and legal basis to process the data: Legal basis (legitimate reason) for processing personal While many of these rights are similar to those under the current DPA, the GDPR expands them and introduces new ones. Data Protection Regulation in our GDPR documents, Controlling and processing data under the GDPR - concepts and The new Bill transposes much of the GDPR text directly, while also addressing the powers of the Data Protection Authority, and applying the Law Enforcement Directive (which does not have direct effect in EU member states).