GDPR for HR

How will the new regulations affect HR professionals?

Whilst HR professionals are used to handling data and data subject access requests, the General Data Protection Regulations will completely overhaul the way in which data is collected, stored and processed.

Significantly, HR professionals will need to gain explicit and unambiguous consent to process employee data and should take the opportunity to lead by example and demonstrate to the wider business how to handle customer and client data.

Before staff can be expected to understand the implications of GDPR, training will be imperative. Staff will need to be trained on all data protection policies and procedures and HR will no doubt be instrumental in implementing and delivering this training after the 25th May if they haven't already done so.

Staff will need to understand their role when it comes to handling data and grasp the extent of the repercussions if they fail to adhere to the new regulations. Indeed all data breaches will need to be disclosed to the supervisory authority within 72 hours and the penalties for data breaches are significant.

HR professionals will need to explain the implications of the new data rights and ensure that staff understand that customers and clients will not only need to give their explicit consent for their data to be processed and stored, but that they have the right:

  • To be informed
  • To access their data
  • To rectify their data; and
  • The right to be forgotten.

The rules on data subject access requests have also changed and data controllers will now have to respond to these requests within one month and no longer have the scope to charge an administration fee. This revision together with the abolition of employment tribunal fees is likely to mean an increase in the number of data subject access requests that data controllers receive.

HR professionals should have now audited employee data and begun analysing the data to ascertain whether it is actually necessary. Whilst some data may be essential, it is likely that some data will be superfluous and it should, therefore, be deleted or at least amended so that it accurately reflects the information.

Unless there are grounds for retaining data, once it has fulfilled its purpose, data should be deleted.

HR professionals should have revisited their data protection practices detailed in employment contracts, staff handbooks and company policies and ensure that the business is GDPR ready and compliant.

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798089.

© SA LAW 2019

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.

Read our latest views & insight about the GDPR
SA Law Red arrow neon light image
Views & Insights
GDPR one year on: make sure your small business is compliant

Chris Cook shares vital tips for SMEs who haven't done anything to abide by GDPR, and how they can start going about compliance.

Read More
GDPR Numbers Image SA Law
Views & Insights
GDPR one year on

Subject access requests and complaints have been commonplace since the GDPR came into effect. Find out more about the trends and traps.

Read More
SA Law Red arrow neon light image
Views & Insights
What to expect in Data Protection Law in 2019

Our Data Protection Team highlight what we can expect to see from the Data Protection Act in 2019 and the potential impact of E-Privacy Regulations.

Read More
SA Law Red arrow neon light image
Views & Insights
Google issued with £44m fine over GDPR breach

Head of Employment and Data Protection, Chris Cook, explains Google's GDPR breach that led to landmark £44 million fine.

Read More
SA Law Red arrow neon light image
Views & Insights
What is the difference between a controller and processor under the Data Protection Act 2018?

Partner and Head of Employment & Data Protection, Chris Cook describes how to distinguish between a processor and controller under GDPR.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR - 6 Months On

Partner and Head of Employment & Data Protection Chris Cook comments on the impacts of GDPR over the past 6 months.

Read More
SA Law Red arrow neon light image
Views & Insights
ICO publishes passwords and encryption guidance

Partner, Chris Cook, identifies the new ICO guidance on passwords in online services and encryption under GDPR.

Read More
Stained glass window Employment SA Law
Views & Insights
GDPR and SARs; staying compliant and protected

Partner and Head of Employment & Data Protection, Chris Cook writes in Education Executive about the GDPR and SARs.

Read More