GDPR and the HR Function

The changes coming in May 2018 have been well documented, and I doubt there are many businesses that haven’t, at the very least, heard about GDPR; General Data Protection Regulations. With the deadline to get your house in order most businesses would have done their due diligence by now – although I suspect there are some that will ‘wing it’ and cross their fingers! From marketing to customer orders, payments to developing an ongoing client relationship, no stone should be left unturned.

But what about your staff?

Unfortunately, (or fortunately, depending on how you embrace this change) there will need to be some changes on the way you manage and process personal information of your staff. Therefore, an additional exercise should be carried out to ensure you comply with the regulations in this area of your business too.

You need to ask;
• What information do I hold on staff?
• For what purpose is that information being held?
• Do I really need to keep that information – and if so, in what format?

By far, the easiest way to comply with the regulations is to move everything you have in a paper filing system onto an on-line, cloud based HR Information System. Sounds expensive? Aside from the initial set up cost, it is actually a very cost effective way of managing all areas of the employment life cycle, however small your business is; recruitment, induction, training and development, performance management, holiday and sickness records, etc.

However, if you are wanting to keep to a paper based filing system, you must ensure your line managers understand the full impact of the regulations. For example, a personally identifiable home phone number kept in an unlocked top drawer would not be considered as keeping personal information safe. The letter you received from an employee’s Dr, can no longer be stored in your filing tray.

In terms of HR overhaul, you need to ensure absolutely all personal information is kept safe and secure. You will need to attain direct and separate written permission from each employee, allowing you to hold certain information. Should you receive a Subject Access Request, you will have just 30 days to comply (reduced from 40), and you will no longer be able to charge the employee up to £10 to gather the information together – after all, the information should be readily to hand anyway.
If you haven’t already done so, you need to look at how you manage staff data, and what improvements you need to make to comply with the regulations – including updating/drafting your data protection policy.

Should you need help with your HR GDPR compliance, please do not hesitate to get in touch.

Sarah Shephard
HR Consultant – Ascentant Ltd