GDPR in practice

It is 6 months since the introduction of GDPR and time we looked at the practical implications for HR following the new data protection rules.

1. Subject access data requests

GDPR has made subject access requests (SARs) easier for employees with the abolition of the charging structure (unless the request is ‘manifestly unfounded’ or excessive) and a shorter timeframe for employers to respond.

This has resulted in an increase in the numbers received.

It is worth keeping a log of requests to calculate the response date and to check the extent of any requests once received.

If it is particularly complex, contact the individual to see if the request can be narrowed down and if not, agree on an extended response timeframe on the grounds of complexity.

2. Deletion of personal data

We’ve already seen employees and candidates requesting personal data to be erased.

However, it’s not always so black and white.

Providing the employer has not used consent as the lawful basis for processing (which is generally not applicable to employees or job applicants), it is possible to reject such requests and cite other lawful grounds for continuing to process the data, such as not wanting to delete employee misconduct or performance data as this is legitimately needed for future employee management purposes.

3. Privacy notices

Some employers are still struggling with the production of privacy statements.

Under GDPR employers will need to provide detailed information about the processing of personal data relating to job applicants, employees and former staff.

Employers should review (or start preparing) privacy notices, update staff policies, including data protection and IT policies; and train staff on any adjustments or new ways of working.