Industry News & Insights
Keep upto speed with all the latest news & insights
Receive Business Protection Tips Request a Callback

Latest Industry News & Insights

Back to News & Insights

What HR need to know about the GDPR

16 February, 2018

The GDPR, which comes into force on 25 May 2018, means that consent needs to be specific, informed and freely given.

That means employees should have a genuine choice as to whether or not to consent to the processing and should be able to refuse or withdraw consent freely.

Most employer processing activities will fall under the ‘lawful purposes’ definitions but, in accordance with the new accountability principles, an employer needs to be clear from the outset of the lawful purpose on which they are relying, and should keep a record of this.

GDPR lawful purposes for ordinary personal data include processing on the basis of:

  • legitimate interest of the data controller;
  • necessity for the performance of a contract;
  • compliance with a legal obligation;
  • protecting the vital interests of the data subject
  • necessity for the performance of a task carried out in the public interest.

If an employer is relying on consent for any aspect of employee data processing, then they need to ensure that:

  • consent is a separately agreed ‘opt in’ (not contained in terms and conditions of employment). It must not be vague and must be refreshed every two years;
  • consent is specific to the data in question and what the employer is using it for;
  • if the employer is sharing the data, each third party is named and specific consent is sought;
  • the employer advises that consent may be withdrawn and how to do this;
  • the employer keeps specific records regarding consent to demonstrate compliance.

Subject access data requests

Under the GDPR, subject access request (SARs) will entitle employees to more detailed information regarding the way in which their data is processed, will reduce the time limits for the employer’s response and will abolish the current £10 fee for responding to a SAR.

Employers are currently obliged to comply with a SAR within 40 days of the request.

The GDPR will require employers to comply without undue delay and at the latest within 30 days, although this can be extended for up to two additional months for particularly complex or numerous requests.

It may be possible to request a reasonable administration fee where the SAR is ‘manifestly unfounded or excessive’ however guidance is limited on what this will cover.

We are currently updating Data Protection policies and advice on consent and will be in touch soon!

Back to News & Insights
Solutions for HR, 10 St Mary's Place, Bury, Lancs BL9 0DZ
0161 694 7050

If you need help and support in managing
absence give us a call for a free consultation;

Contact Us Request a Callback

Contact Us

Solutions for HR, 10 St Mary's Place, Bury, Lancs BL9 0DZ
0161 694 7050
info@solutionsforhr.co.uk

Business Protection Tips

Subscribe to our business protection tips

Sign up today

Connect with Us

Twitter
Facebook
LinkedIn

© 2018 Solutions for HR. All Rights Reserved.