To help you prepare your HR policies for GDPR, we have compiled a list of FAQs. If you would like any support with reviewing and updating these, please contact Hallidays friendly HR Team on 0161 476 8278 or email@example.com.
Who are ‘data subjects’?
The guidance on GDPR uses the term ‘data subject’. It includes data held for all employees and other workers such as casual and temporary staff, students, work experience students, interns, volunteers, agency workers, contractors, sub-contractors and self-employed consultants.
Do I need to make changes to employment contracts?
If, like most employers, your employment contracts contain express contractual clauses allowing you to process data then yes, you will need to make changes. This ‘express permission’ will no longer be sufficient. You will need to review, and revise your employment contracts for new staff and consider how best to obtain consent for existing employees.
Do employees have any special rights under GDPR?
Yes, they have a number of specific rights including having the right to:
- Be informed about processing
- Access data held about them
- Request rectification of data
- Request erasure of data
- Restrict processing
- Data portability
- Object to processing (if consent was being relied upon for processing, or on grounds related to an employee’s “particular situation” if “legitimate interests” were being relied upon); and
- Not be subjected to a decision as a result of automated decision making and profiling
Part of our recruitment processes include automated scoring. I understand that GDPR gives applicants special rights.
Yes. Applicants have the right to request that any test or recruitment score is reviewed, and subjects can ask for ‘human intervention’ to express their point of view and challenge any decision made.
You will need to revise any processes that include automated scoring and ensure you tell applicants of their rights.
Do we need to make changes to other HR processes that rely upon automated decision making?
Yes. Applicants and employees have the right not to be subject to a decision when it is based on automated processing if it produces a ‘legal effect’ or similarly ‘significant effect’ on the individual. If such a process applies, subjects must be able to obtain human intervention, express their point of view and challenge the decision.
This might apply for example, to the application of triggers for performance or absence management or scoring for redundancy selection or de-selection.
You should review, and amend any HR process that uses data and ensure that not only do you have appropriate consent to process this, but that any data you are basing decisions on, is accurate and up to date.
Employers would be wise to consider whether they need to introduce any further safeguards or consents.
We have undertaken an audit of all HR information retained - from data collected at the application stage, from payroll information to next of kin information etc. Have we missed anything?
HR has specific challenges as far as GDPR is concerned as much of the information collected will be unstructured in how it is stored (for example, emails about work matters might also contain personal data about employees) and this can be a considerable headache for employers when employees make requests under the data subject access provisions for access to data held about them.
In an employment context, data processed on employees can include pre-employment vetting, payroll, monitoring timekeeping and absence, personnel records, CCTV, computer access information, emails, phone records, appraisals, mileage information, tachograph information, door access records, expense claims etc.
Do we only need to be concerned about employee data once someone has joined our employment?
No, you need to treat any data collected during the employment process in the same way. You will need to draft a ‘GDPR – Fair Processing Notice’ to issue to all applicants for which you collect data. This needs to tell all applicants how long you will retain that data.
Further information and support
If you would like any support with reviewing and updating your HR policies to comply with GDPR please contact Hallidays expert HR team on 0161 476 8278 or firstname.lastname@example.org. You can also learn more about how you can prepare your whole business for GDPR and create a culture of data and security awareness via our GDPR webpage.
Posted 27th February 2018