The General Data Protection Regulation (GDPR) is creeping not so slowly towards us…May 25th 2018, is just around the corner, and with it will come pressure on the Human Resources to update its approach to handling employee data.
In particular, the GDPR introduces the concept of a “right of erasure” – a right to be forgotten. The concept currently exists under EU law, but currently only applies in very limited circumstances, when data processing may result in damage or distress.
Under the GDPR, an employee will have a right to have his/her data erased and no longer processed, where consent of processing is withdrawn, where the employee objects to such processing, or where processing is no longer necessary for the purpose for which it was gathered. That said, the employer, under certain circumstances, can refuse to comply with an employee’s request for erasure of personal data – where data processing is required by law or in connection with a legal proceeding.
There is also a time limit for employers to respond to a request for erasure of data – ‘without undue delay’, and not later than one month of receipt of the request.
To meet the GDPR’s new requirements, employers have to take stock of the employee data they process related. What categories of employee data are processed? Where does it comes from? In what context and where is it processed and maintained? Who has access to it? Are the uses and disclosures being made of that information permitted? What rights do employees have with respect to that information? You get he idea…
The answers to these questions are not always self-evident. Employee data could include current, former, or prospective employees as well as interns and volunteers. It may come from assorted places and be processed in less traditional contexts.
To better understand how an employee’s “right of erasure” will impact day-to-day HR operations, below are a few practical examples where an employee will have the right, under the GDPR, to request that his/her data be erased and no longer processed.
- You collected data during the recruitment process, but, following the appointment, you can no longer demonstrate compelling grounds for retaining it. This might include past employment verifications, education details, credit reporting and other financial history data, government identification numbers.
- You collected data about an employee in order to administer benefits such as health insurance, but the employee has since opted out of the benefits program.
- You collected employee online monitoring data for work productivity purposes which is no longer needed.
- You processed data related to employee job performance issues (g., late arrivals, absences, disputes with a coworker, etc.) a number of years ago, and the employee has not had similar issues since.
- You collected identifying data on an employee such as an employee’s past address, phone number, email address, username, financial account information, etc., but the employee has since provided updated information.
- Employers must be ready to comply with GDPR on 25th May. If your organisation has not started, it should begin implementing policies and procedures that inform employees of their enhanced rights to control over their personal data and ensure it can comply with those rights and train HR personnel handling employee requests.
You can find out more about GDPR here.