After months of speculation on how GDPR will affect UK businesses the wait is over and the new law came into force on 25th May 2018. Quite how the UK Information Commissioner will interpret GDPR in the “real world” is yet to be revealed, but some unequivocal facts are certain and this is what you need to know.
You need to take GDPR seriously, no matter how large or small an employer you are. Fines for non-compliance are Euro 20m or 4% of turnover. Which for some companies and organisations could amount to staggering sums.
You need to treat the data you hold on your employees with respect and care. It needs to be safely stored and you have new obligations such as, when personal data has been lost or compromised, the data breach must be reported to the Information Commissioner within 72 hours and all employees impacted must be notified. If this does happen, then it is likely that the payroll department will need to do the notifying as they usually are the department that holds and uses personal data regularly.
GDPR requires that your employees know what data you hold on them, and what you use it for. It requires an informed decision on the employees’ part for data to be held, processed and analysed by the payroll department. Employees can withdraw their consent for certain data to be used, although in order to carry out your duties for HMRC, for example, your legal obligation could be the basis upon which you hold and process the data.
However, you also need to know that your employees now have enhanced rights to access the data you hold on them and ask for it to be corrected or deleted. If you do not have a centralised system, and instead are working on spreadsheets and various paper documents to get this information together could be time consuming and under GDPR you have 40 days to respond to such requests.