Getting in Touch with Your GDPR.

By Andrew Knorpel, Partner and Head of Employment

In our last bulletin, we started to have a look at what the General Data Protection Regulation (“GDPR”) will mean for employers when it comes into force on 25 May 2018. In this bulletin we take a more detailed look at audits and consent.

Your preparation for the GDPR should start with an audit of all data held, who deals with it, with whom they share it, what is the justification for doing so and how long it will be held. This will be a cross-departmental project, involving not just HR, but also IT, marketing, compliance and all other parts of your organisation which process personal data.

Once the information has been collated and gathered, it will then need to be cross-checked and analysed before being set out in a comprehensive report setting out an action plan. As is always the case, the information coming out of an exercise is only as good as the information that was put in. Therefore, all relevant stakeholders across the business need a clear understanding of the project, the meaning of personal data (including automated data and images), the processes and procedures currently in place (including the operation of software packages) and the all-important reasons why data is being processed.

It’s always worth reminding people about the potential fines for non-compliance once the GDPR is in force – up to €20 million or 4% of global annual turnover (whichever is higher) in the event of default (not to mention damage to your corporate reputation).

If you engage with third party contractors (such as outsourced payroll providers, recruitment agencies, IT helpdesks or public relations agencies), you will need to consult with these organisations too, asking all the same questions to ensure you have a clear understanding or what happens to personal data in their hands.

As mentioned in our last article, it will become much harder to use consent as the basis for processing employees’ personal data as you wouldn’t want an employee to be able to withdraw consent where it would adversely affect the normal operation of your business. Where you have personnel management, marketing, organisational or regulatory reasons, it may not be necessary to rely on an employee’s consent to process their data and you would be better to rely upon one of the other legal bases. These are likely to be where it is necessary for the performance of the employment contract (eg auto-enrolment compliance) or pursuit of legitimate interests (eg contact details on your website).

However, consent may still be required where there is no legitimate reason for processing such data without employee consent. Examples might be including someone’s qualifications or favourite pastimes on their website biography. In these cases, you will have to obtain very specific consent for your particular activity.

Insights.

Need to Make/Update your Will?
30th March, 2020

In these difficult times individuals are recognising the importance of either making or updating their Wills, particularly those who are self-isolating.

Coronavirus Job Retention Scheme and Furlough Leave
27th March, 2020

The Government announced on 20 March 2020 that the state will subsidise employers to pay 80% of the wages of staff who are placed on “furlough” leave but remain employed,…

A note from Neale Andrews
27th March, 2020

These are perhaps some of the most challenging circumstances we have faced as a firm in our 60 year history. We are doing absolutely everything we can to protect our…

Combatting Covid-19 for Commercial Tenants
26th March, 2020

The pandemic is causing huge socioeconomic repercussions and the UK commercial property sector is not immune. So what is going to happen to property-overheads or running costs of commercial premises…