General Data Protection Regulation will be enforced in May and clubs must comply. In the second of our series of articles on the subject, Joanne Bone, of employment law specialists Irwin Mitchell, looks at how it will affect HR The way in which golf clubs process data is changing significantly. All businesses that use personal data have until May 25 to comply with the new General Data Protection Regulation (GDPR) legislation. The penalties for non-compliance are potentially huge, with fines of up to 20 million euros, or 4% of annual worldwide turnover, whichever is bigger, levied on businesses that don’t get up to speed. You may think data protection only applies to your relationship with customers. But it also applies to your staff as well. Here are some of the issues you’ll need to consider as you look at GDPR and HR... Do we need to undertake a data audit in respect of our staff? Yes. We would suggest that if you have not already, you carry out a data audit in order to identify areas where action needs to be taken to ensure compliance with GDPR. There is no set way to carry out a data audit but, in general, you need to understand the staff data that is held within your organisation, where that data comes from and where/how it is stored, what happens to it while it is within the organisation and when and how it is deleted. You will need to consider these data processing activities in light of the requirements of the GDPR. Where you identify any areas of non-compliance, or where activities pose a risk to the business, you will need to formulate a plan to address them. The scope of the audit should include all staff personal data held in electronic format or contained, or within, a structured manual filing system. It may be you need to consider data stored or processed outside of the HR department, such as by finance or a third party provider. Your audit may, therefore, have multiple stakeholders, and the timeframes necessary for carrying out this activity should not be underestimated. Our employment contracts contain clauses in which the employee consents to us processing their data. Can we continue to rely on these? Probably not. Under GDPR, consent needs to be specific, informed and freely given, which means that individuals should have a genuine and free choice as to whether or not to consent to the processing and should be able to refuse or withdraw consent without detriment. Current draft guidance from the Information Commissioner’s Office is that employers are unlikely to be able to rely upon consent as the lawful purpose for processing most employee personal data, because of the imbalance of power in the employer/employee relationship. There are, of course, other lawful purposes which most employer processing activities will fall under, but in accordance with the new accountability principles, you will need to be clear from the outset of the lawful purpose on which they are relying. ...
This is member only content
Please LOGIN to read the full
Not a member? Please click here to join today.