HOW TO MAKE YOUR HR POLICIES GDPR COMPLAINT

17 August 2018

• data protection
• GDPR
• general data protection regulation
• Employment law liverpool
• GDPR law liverpool
• data privacy
• Solicitors Liverpool
• Data Privacy Liverpool
• employer
• employee
• Data Processing
• Subject Access Request
• data subject
• employment and HR liverpool
• employee data protection
• GDPR compliant
• employee contract
• third party contract
• recruitment agency contract

The General Data Protection Regulation (GDPR) was enforced on the 25^th May 2018, which applied major changes to the way data is protected, enabling employers to reconsider their employment and HR procedures, and amend them in order to comply with GDPR requirements.

 Employers should maintain focus on the following factors:

 Recruitment Process

During the recruitment process it is vital that employers set out an appropriate privacy notice, regardless of whether an employer collects data directly from the applicant or through a recruitment agency. The privacy notice must include:

• The rights of the applicant.
• The purpose for processing the applicant’s data.
• The period of retention regarding all of the applicant’s data.
• The legal basis for processing the data.

It is also important for an organisation to consider all documentation from applicants, in regard to how the data will be utilised if the candidate is unsuccessful.

When using a recruitment agency or third party, the employer must have a written contract with them regarding data processing.

New employees

Once an applicant is recruited, the employer must ensure  that pre-employment checks are conducts, as well as collecting additional information before they begin working.

If the pre-employment checks are successful, an employer must then provide new employees with a data protection policy.

Employers must also produce written contracts with any third party data processors, i.e payroll.

Continuous employment

During time of employment, employers will usually obtain further information from all staff members. This may include information regarding absence, health, performance and any disciplinary or grievance issues.

This additional information should be covered by the privacy policy and if necessary explicit consent may need to be obtained from the employee.

Employment termination

Once an employee’s contract is terminated, the information an employer holds should only be retained for a specific period under GDPR requirements, although this retention period should be set by the employer.

It is vital that an employer considers carefully the information they intend to retain, as retaining information comes with risk, therefore it is important to understand the risks specific to the organisation, as well as clearly setting out the reasons for retaining the information.

Employers should be aware that potential, current, and former employees still have the right to conduct a Subject Access Request for data held by their employer, which must be fulfilled within a month. During this process, the requestor can under GDPR ask for their information to be amended if they feel it is inaccurate.