Z000010030 FG0186 Askews_Ask HR A4 Brochure_v5_aw

GDPR – A summary of your
obligations as an employer
General Data Protection Regulation (GDPR),
governs data protection and privacy for all
individuals within the European Union. GDPR
aims to give control back to individuals over
their personal data by introducing enhanced
rights, greater transparency, more onerous
standards for consent and tougher sanctions
for non-compliance.
Under GDPR, employers must:
+ Fairly and lawfully collect and process
personal data.
+ Provide employees with information about the
personal data they hold and how it is used.
+ Only use personal data for the purposes for
which they collect it, unless they take
additional steps.
+ Keep employee personal data accurate,
up-to-date, and retain it for no longer than
is necessary.
+ Delete or anonymise personal data once
they fulfil the purpose for collection or meet
applicable legal obligations.
+ Implement appropriate security measures.
+ Provide employees with rights to access, correct,
and erase their personal data.
+ Ensure compliance with cross-border transfer
restrictions for transfers of personal data to
countries outside the EEA that do not ensure
an adequate level of data protection.
+ Be able to demonstrate compliance with
these principles.
Processing Human Resources Data
Employers may lawfully process employees’
personal data if it is necessary for the performance
of an employment contract, compliance with the
employer’s legal obligations, to protect the
employee’s vital interests, for carrying out public
functions, or for the legitimate interests of the
employer or any third party to whom the employer
discloses the personal data (provided the
employee’s fundamental rights and freedoms
do not override those interests).
Employee Consent
Many employers justify processing personal data
on the basis of employee consent, by using
standard provisions in employment contracts.
However, an employer must present the consent for
data processing separately from any other matters
and not bundle consent with acceptance of other
terms and conditions. Such consent must be
specific, informed, freely given and unambiguous.
For most work-related employee personal data
processing, consent cannot and should not be the
lawful basis for processing due to the imbalance of
power between the employer and the employee.
Consent must be demonstrable.
Data Breaches
The GDPR imposes a new mandatory breach
reporting requirement. Where there has been
a data breach (such as an accidental or unlawful
loss, or disclosure of personal data), the employer
will have to notify and provide certain information
to the data protection authority within 72 hours.
Where the breach poses a high risk to the rights
and freedoms of the individuals, those individuals
will also have to be notified.
Processing personal data under the GDPR means
carrying out any operation on personal data
including collecting, recording, organising, storing,
using, disclosing or disseminating. Employers
may need to process employees’ personal data
for certain human resources purposes, such as
recruitment, performance of an employment
contract, management, planning and organization
of work, equality and diversity in the workplace,
health and safety etc.