Skip to main content
FIND A LAWYER
ARTICLE

GDPR and HR: What you need to know

ISSUE

The much anticipated General Data Protection Regulation (‘GDPR’) will come into force on 25 May 2018.

Employers and HR professionals will be particularly interested to know how the new regime affects the collection and processing of HR related data, especially considering the significant penalties that the GDPR will introduce.

Key areas of significant change are:

Employee Consent
It will be harder for employers to justify processing employee personal data based on consent. The GDPR introduces prescriptive requirements for obtaining consent and employees must be able to withdraw consent at any time. Employers should therefore consider other legal grounds to process data for example, legitimate business interests, performance of the employment contract or compliance with a legal obligation.

Privacy Notices
The information which must be provided to staff and job applicants at the point which data is collected will be more detailed. This includes, non-exhaustively, how long data will be retained, whether data will be transferred overseas and the mechanism by which these individuals can make use of their data subject rights.

Employee Rights
Enhanced rights for staff include, in certain circumstances, a new right to have data deleted and a right to have data rectified. Changes will also be made to data subject access requests, including a revised response time and the provision of more detailed information in response to a request. Employers should consider how these rights will be dealt with in practice.

Breach Notification 
A new mandatory breach reporting requirement will be introduced whereby breaches likely to pose any risk to the member of staff must be notified to the Information Commissioner within 72 hours. The member of staff will also have to be notified where the breach poses a high risk to their rights and freedoms. Employers should therefore develop a breach plan, enabling it to react promptly in the event of a breach.

ACTION

If your organisation hasn’t yet started working on GDPR compliance, or if you are still in the process of finalising how your organisation should respond to this important piece of new legislation, there is still time. Contact us to seek expert legal advice if there are areas that you require assistance with.

This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: mailinglists@greenwoods.co.uk




    By completing and submitting this form, you consent to Greenwoods Legal LLP processing your personal data to provide you with the email update services you have selected and any other materials and information about our services that Greenwoods Legal LLP reasonably believes will be of interest to you. You are free to withdraw your consent at any time by emailing mailinglists@greenwoods.co.uk





      By completing and submitting this form, you consent to Greenwoods Legal LLP processing your personal data to provide you with the email update services you have selected and any other materials and information about our services that Greenwoods Legal LLP reasonably believes will be of interest to you. You are free to withdraw your consent at any time by emailing mailinglists@greenwoods.co.uk