DPP GDPR’s solicitors are experienced in providing companies with HR support. For legal advice and help, get in touch today on 0333 200 5859.
GDPR (General Data Protection Regulation) was introduced in May 2018. This piece of EU legislation ensures that personal data is safe and private and used only for the purposes stated when it was first collected.
Human Resources departments are almost always required to retain employee data.
Often, this may include sensitive personal data – for example:
- Bank account details
- Home addresses
- Telephone numbers or emergency contact numbers
- Information about medical conditions
As a result of this change, HR departments must now comply with updated data security requirements.
Ensuring that your HR department is GDPR compliant will help you to protect your employees’ personal information. It will also mean that you are less likely to suffer a data breach for which you might otherwise face prosecution or a fine.
Our legal experts will ensure that your HR department adheres comprehensively to GDPR. Contact us on 0333 200 5859 for further details.
How our GDPR solicitors can help your HR team
The legal experts at DPP GDPR are experienced in providing legal advice about data protection to HR teams.
- Help you to draft new employee contracts that are clear about how you will protect data and what you will use it for
- Provide support throughout any investigation by the ICO (Information Commissioner’s Office)
- Help you to revise data protection processes, gain employee consent and inform staff of their individual rights
- Talk you through the processes of legally and securely handling, transferring or sharing data
- Help you to react correctly to a data breach without undue delay
- Build a strong defence for you if you are prosecuted for any employee data breach
Alongside this, our solicitors can advise your HR department about:
- Commercial and corporate law
- Employment law
- Contract law
- Technology law
- Intellectual property law
Updating your documents
To ensure that your HR department is GDPR compliant, they may need to revise the policies and information distributed to staff.
They will need to update existing documents – such as general privacy policies – but they may also need to create new ones. These could include:
- An up-to-date data protection policy
- A Subject Access Request policy for employees who ask you to disclose the data you hold about them
- A data breach policy, listing the necessary steps to take should the security of your employee data be breached
- A new privacy statement
- Any additions to the existing employee contract, including details of their rights as data subjects
It is important that your employees understand their rights under GDPR, which are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Details of these rights should be made accessible to them at all times.
Frequently asked questions
What forms of consent are viable to process employees’ personal data?
GDPR legislation states that consent must be “freely given, specific, informed and unambiguous”.
However, it’s important to realise that employees may feel obliged to give consent for fear of jeopardising their career. In these cases, consent cannot be “freely given”.
It is a good idea to explain employee rights and ask for signed consent in a section of their contract. However, GDPR legislation states that consent is not required if processing is:
- “necessary for the performance of a contract with the data subject”
- “necessary for compliance with a legal obligation” i.e. paying the subject for their work by processing their bank details
- “necessary for the purposes of legitimate interests pursued by the controller”
This means that you may use data that is vital to the subject’s employment with you even if you don’t have their explicit consent.
Does the GDPR require you to amend contracts of employment?
You will probably not need to change anything about your staff contracts if you are processing data in a way that is expected for employment.
If you wish to use information that is not normally required by an employer, you may need to create a new separate document to request their consent.
How long should employee data be kept under GDPR?
In general, you can keep the vital data required to legally employ staff for as long as it’s needed.
Under GDPR, you should not keep data for any longer than is required. However, if an employee has left, you may need access to certain information about them later should they attempt to take you to court.
Therefore, you should consider keeping contracts and similar details for six years after an employee leaves. Remember that it must remain secure and cannot be used for any purpose that was not originally specified to the subject.
Contact our solicitors today on 0333 200 5859 for further information about HR GDPR compliance. We can also provide legal advice on your data protection policies and documents or defend you if you’ve experienced a data breach.