Under the GDPR the information you need to give people about the data you hold and process will be more detailed than under the Data Protection Act 1998. Currently you probably rely on a clause in your employees’ contract which states that they are giving consent to processing data, and possibly providing a bit of information about what you do with the data you hold.
However under the GDPR the requirements become rather more involved. You will need to provide a “privacy notice” giving more detailed information to employees about how you deal with their data. Here are some of the key things you need to know.
What information to give
Under the GDPR you will be required to provide employees with the following information about their data:
- the identity and contact details of the employer as a data controller;
- if your business needs to have a Data Protection Officer, their contact details;
- the purposes for which the data will be processed and the legal basis for processing, including, if relevant, the legitimate interests relied on;
- the categories of personal data to be processed;
- the recipients of the data;
- any transfer of the data outside the European Economic Area (EEA);
- the period of storage;
- the rights of data subjects, including the right to access, rectify and require erasure of data, the ability to withdraw consent or to object to processing, and the right to lodge a complaint with the supervisory authority;
- the consequences for the data subject of failing to provide data necessary to enter into a contract; and
- the existence of any automated decision-making and profiling, and the consequences for the data subject.
You will need to provide your staff with this information at the point you collect it, and if the purpose for which you are processing data changes, you will need to notify them of the change.
Data subject access requests
You will be aware that under the existing Data Protection Act your employees have the right to be given copies of their personal file and other data you are processing about them, as well as information about the data.
This right will remain under the GDPR but the requirements of employers will change slightly. You will need to provide the information more quickly; no later than a month (or three months if the request is particularly complex), and will no longer be able to impose a charge for processing the request.
You will need to have clear, transparent and accessible systems in place to ensure that your business can comply with access rights, and will need to be able to show what these systems are.
What about data during recruitment?
Under the GDPR you will also need to issue a privacy notice to applicants for jobs, as you will also be holding and processing their personal data. The information you are required to give is the same as the information you must provide to employees as set out above.
You don’t necessarily have to issue a privacy notice separately to each candidate if you don’t want to, instead you could put it on your website and make sure candidates are informed that it is there and given a link to it. If you share vacancies on a recruitment website such as Indeed, you could provide a link to the privacy notice within the vacancy details.
You may use an agency for recruitment, and if so, they will also be a data processor. Although they are responsible for compliance with GDPR themselves, you should ensure you are satisfied that they have the necessary systems and security arrangements in place.
You will need to keep data about job candidates for a short period in case you have to respond to a tribunal claim brought by a job candidate, but you should only keep it for the shortest period necessary, i.e. until the candidates are out of time to bring a claim.
Some businesses have a policy of keeping job applications on file in case of future vacancies, but you should get out of the habit of doing this if possible. If you analyse how often you have actually contacted candidates from past recruitment campaigns for future vacancies, it’s probably infrequent and encouraging candidates to monitor your website for future vacancies and apply at the time if they are available and interested is a more sensible way forward.
If you use any automated process for shortlisting candidates, you need to review whether this is strictly necessary and lawful. Candidates have the right under the GDPR not to be subject to a decision based solely on automated processing, and under the GDPR, employers can use automated decision-making only if it is necessary for performance of a contract (for example if you get extremely high volumes of applications and automated processes are the only way of dealing with them, or with explicit consent.
If after reviewing the situation you decide you do have grounds to continue with automated recruitment shortlisting and want to do so, you must tell job candidates in the privacy notice and ensure they are aware they can contest the decision and request a decision be made about their application by other means involving an actual person.
If you’d like some advice on suitable privacy notices for staff and job applicants, do get in touch.