NEWS | MANAGEMENT


                 Major changes to data



                 protection to come into effect






                 THE GENERAL DATA                                                                    Changes to data
                 PROTECTION Regulation                                                            protection come into
                 (GDPR) comes into force                                                            effect this month
                 on 25 May, introducing a
                 seismic shift in the way any
                 company with clients or
                 workers in the EU collects,
                 stores, manages and
                 uses personal data – and
                 inflicting eye-watering fines
                 of up to four per cent of
                 annual turnover on anyone
                 in breach.
                   The specific requirement
                 in the regulation means
                 employers need to process
                 personal data lawfully,
                 in a fair and transparent
                 manner, only as specified   is “freely given”.   and whether it will be   workforce, said Tan.
                 and for legitimate reasons.   There are, however,   transferred overseas. “HR   She added: “This will
                 Data must be relevant and   other options available.   should obtain consent   include communicating
                 necessary, accurate and   “Employers can claim   from the employee or     privacy notices to job
                 kept up-to-date, retained for   it is necessary for the   interviewees and ensure   candidates and the
                 no longer than is necessary   performance of a contract   there is a record of   workforce, adding
                 and held securely.       (the processing of the   how and when consent    controller-processor
                   Personal data includes   employee’s bank details   was given,” said Ben   clauses to third-party
                 anything that can be used   and personal data for the   Power, Senior Partner at   agreements, implementing
                 to identify an individual,   purposes of paying the   Springhouse Solicitors.  effective systems to
                 such as location, genetic   employee), or compliance   Data subjects can object   support compliance
                 and biometric data such   with a legal obligation,   to processing unless the   measures and introducing
                 as facial recognition and   such as checking that a   controller shows compelling   a training programme to
                 fingerprinting, reports   successful candidate has   legitimate grounds for it, and   educate staff on their rights
                 People Management.       the right to work in the   data handlers must erase   and obligations.”
                   One of the main changes   UK,” says Michelle Morgan,   personal data without undue   A blanket policy of asking
                 affecting HR teams is the   Senior Associate at law firm   delay on request where: it   employees for details of
                 consents required from   Gardner Leader.         is no longer necessary for   criminal convictions to be
                 workers, contractors, job   There are also different   the purposes collected; the   disclosed when they join
                 candidates and others    lawful conditions for   person withdraws consent;   the business is also unlikely
                 whose data they handle.   processing sensitive   or the person objects to   to be acceptable from 25
                 Consent must be “freely   personal data (i.e., health,   data processing.  May, she added.
                 given, specific, informed and   race or ethnicity, and trade   HR teams need to   Most public authorities
                 unambiguous” – meaning   union membership), says   rethink how they approach   and those that process
                 pre-ticked boxes won’t   Shoosmiths Employment   data retention, ensuring   certain data in a large-
                 suffice – and consent for   Partner Gwynneth Tan.   increased understanding   scale, regular manner as
                 each purpose must be     “These include: compliance   of what information is   part of their core activities
                 obtained.                with employment law; to   needed for, for how long it   must appoint a data
                   The GDPR’s consent     defend legal claims; for   is needed and how systems   protection officer (DPO),
                 requirements scupper the   occupational medicine; and   can be adapted to help   to oversee compliance
                 long-term assumption that   to assess an employee’s   drive regular cleansing of   with the GDPR, said Power.
                 the processing of HR data   ability to work,” she added.   unneeded or excess data,   “The DPO must have
                 can be done by reference to   When carrying out   says CMS Employment     professional experience
                 consent in the employment   due diligence such as   Partner Alison Woods.  and expert knowledge of
                 contract, largely because   immigration checks, HR   HR must also ensure the   data protection laws and
                 the imbalance of power   needs to make clear what   core GDPR principles are   practices as they will be
                 in an employer-employee   the legal basis is to process   embedded into the team’s   the first point of contact in
                 relationship means it is   personal data, how long   approach to processing   respect of data protection
                 questionable that consent   the data will be retained   the personal data of their   matters,” he said. ■



                  10


        News.indd   5                                                                                             19/04/2018   12:43