Business owners should have by now pencilled in May 25th 2018 as the date when the European General Data Protection Regulation (GDPR) comes into force. But what does GDPR mean for your HR practices?
The simple answer is that it means a lot. Any company, big or small, will have to comply with new regulations regarding the secure collection, storage and usage of personal information. What’s more, non-compliance will be met with fines of up to either €20,000,000 or 4% of global turnover – whichever is higher.
How will this affect HR?
It can often be difficult to strike a balance between privacy of an individual and the tasks that employers need to carry out. Here are the key areas that the new regulations will impact on your HR practices.
Organisations should only keep personal data for as long as is necessary, and for the purpose for which it was obtained. Therefore, the details of unsuccessful job applicants should be removed following the end of the recruitment process, unless a candidate has given their explicit consent for the organisation to hold onto it. Also, employers should only keep limited data relating to employees who leave.
Targeted information only
Employers will only be able to request data from potential employees where necessary. For any other data, they will need to obtain the explicit permission of the individual. HR will need to take a critical look at the information they hold to make a proper assessment.
Demonstrate transparency and accountability
Employers must provide details of how and where they store and process employee data. They should ensure that their employees know that they can access their data by making a “Subject Access Request” (SAR). As from next year, these will be free of charge (unless the amount of data requested is unreasonably large) – the previous maximum administration fee of £10 will no longer apply. Once the new rules come into force, companies must prove that they comply with GDPR.
Data only used for the intended purpose
Employers may only use the information for the purpose for which they originally requested it. Personal information should not be stored for future use without permission.
One of the main goals of the GDPR is to ensure the protection of personal data. Within a business, access to confidential employee information should be on a “need to know” basis. Working closely with IT will become crucial to finding the correct balance between storing data and protecting it from outside threats. Where employers sub-contract the processing of data, they must choose a provider that offers satisfactory guarantees of data security.
GDPR will have a huge impact on nearly every aspect of a business. For your HR practices, it will require a review of many of your policies and procedures. With the clock counting down to the regulations coming into force, it’s crucial that preparations get underway.
To find out more about how we could help your business prepare, arrange your no-obligation consultation today.