The new GDPR Legislation will come into effect 25th May 2018. The Data Protection Act stipulates that data and records should only be stored for as long as they are useful, so it’s up to you, the employer and your HR policy, to determine how long those records are useful for. Different records may also need to be disposed of at different times. For example, it may not be necessary to retain financial information for long after an employee has left the company whilst basic contact details may be important to your company for several years after an employee has left.
It’s generally recommended that personal information of employees, including contact details, appraisals and reviews be kept for at least 5 years. Keep hold of employees’ financial records for at least 3 years as HMRC may request to see them during this time. However, from 25th May 2018 this will change with the introduction of EU’s General Data Protection Regulation (GDPR). Data controllers and processors need clarity on what data they hold and how the personal data is used. You need to make sure the systems protect privacy and that contractual provisions are in place with clients and service providers to ensure compliance and adequate indemnities exist.
Under the new regulations, companies must keep a thorough record of how and when an individual gives consent to store and use their personal data. This consent will mean an active agreement. GDPR forces SMEs to know exactly what personal data they hold and where it is located (whether on PCs, on servers, or in the Cloud), and have procedures in place to ensure its complete removal when a request to do so is made. SMEs should start to plan and implement well in advance of the 2018 deadline. Personal data is a key tool for SMEs looking to target and retain customers: GDPR means it must be handled with the utmost care.
The new GDPR legislation applies to both automated personal data and to manual filing systems. Also where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
The New GDPR Legislation In a Nutshell
- The definition of personal data is broader, bringing more data into the regulated perimeter
- Consent will be necessary for processing children’s data
- The rules for obtaining valid consent have been changed
- The appointment of a data protection officer (DPO) will be mandatory for certain companies
- Introduce mandatory Data Protection impact assessments
- There are new requirements for data breach notifications
- Data subjects have the right to be forgotten
- There are new restrictions on international data transfers
- Data processors share responsibility for protecting personal data
- There are new requirements for data portability
- Build up processes on the principle of privacy by design
- The GDPR is a one-stop shop
For most organisations, keeping HR records, customer lists, or contact details etc, the change will make little difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the new GDPR legislation. But if you are concerned about these changes and what you need to do, please call or email us.
Metis HR is a professional HR Consultancy based in the North West of England supporting clients across the country. We specialise in providing outsourced HR services to small and medium-sized businesses. Call us now on 01706 565332 to discuss how we may help you.
We can now provide on-site mentoring services. These are designed to resolve workplace conflicts between employees who have previously worked well together. For further details email Ali Penney on mediation@metishr.co.uk