The General Data Protection Regulation (GDPR) will be enforceable in the UK from May 2018. The regulations update current legislation in the way organisations handle personal data, including what they hold on employees.
The GDPR regulations are updated regulations from the Data Protection Directive (DPD), which is an EU directive introduced in 1995. The regulations have been introduced because the world of business has changed significantly since 1995. If you think back to 1995, Google hadn't been incorporated yet, just think about how much data they now hold!
How will this impact HR?
Every business has employees and therefore the GDPR regulations mean that any personal data of employees and potential employees will need to be reviewed. You will need to look at where and how HR data is stored and managed to ensure you comply with the regulations.
Recruitment processes and current employee information.
Consent is key to data being held.
Currently, consent to store and share data is assumed by the virtue of applying for a job or signing an employment contract.
Under the new GDPR regulations consent must be separate from any terms of agreements/contract of employment. Going forward, you will need to notify job applicants/employees on how long data on them will be stored, how it will be used, how they can delete or rectify any data on them.
Subject Access requests
Access requests are made by employees in order for them to have access to any records on them, including emails. Currently, an employee has to pay for access to their records (£10 within 40 days) however under the new regulations, this is changing and employees will no long need to pay anything and employers will have a calendar month to respond.
Penalties for non compliance
Prior to May 2018, the penalties will be a maximum of £500,000. When the GDPR regulations come into effect, a two tier structure is implemented. Less serious incidents will result in a maximum fine of £7.9 million (€10 million) or 2% of an organisations global turnover, whichever is the greater. More serious offences will have a maximum fine of £17.9 million (€20 million) or 4% of global turnover, whichever is the greater. If breaches are reported early, then a reduced fine will be considered, so if a breach does occur, its best not to hide it for it to be discovered after on!
What happens to GDPR after Brexit?
As we will still be a member of the EU in 2018, the directive and regulations will apply with a review later at how GDPR will be dealt with post Brexit.