GDPR and HR

General Data Protection Regulation will be enforced in May and clubs must  comply. In the second of our series of articles on the subject, Joanne Bone, of  employment law specialists Irwin Mitchell, looks at how it will affect HR The way in which golf clubs process data is changing significantly.  All businesses that use personal data have until May 25 to comply with the new General Data Protection Regulation (GDPR) legislation.  The penalties for non-compliance are potentially huge, with fines  of up to 20 million euros, or 4% of annual worldwide turnover, whichever is bigger, levied on businesses that don’t get up to speed. You may think data  protection only applies to your relationship with customers. But it also applies to your staff as well.  Here are some of the issues you’ll  need to consider as you look at  GDPR and HR...  Do we need to undertake a data audit in respect of our staff?  Yes. We would suggest that if you have not already, you carry out a data audit in order to identify areas where action needs to be taken to ensure compliance with GDPR.  There is no set way to carry out a data audit but, in general, you need to understand the staff data that is held within your organisation, where that data  comes from and where/how it is stored, what happens to it while it is within the organisation and when and how it is deleted. You will need to consider these data processing activities in light of the requirements of  the GDPR. Where you identify any areas of non-compliance, or where activities pose a risk to  the business, you will need to  formulate a plan to address them.  The scope of the audit should include all staff personal data held in electronic format or contained, or within, a structured manual filing system. It may be you need to consider data stored or processed outside of  the HR department, such as by  finance or a third party provider.  Your audit may, therefore, have multiple stakeholders, and the timeframes necessary for carrying out this activity should not be  underestimated. Our employment contracts contain clauses in which the employee consents to us  processing their data. Can we continue to rely on these?  Probably not. Under GDPR,  consent needs to be specific,  informed and freely given, which means that individuals should  have a genuine and free choice  as to whether or not to consent to the processing and should be able to refuse or withdraw consent without detriment. Current draft guidance from the Information Commissioner’s Office is that employers are unlikely to be  able to rely upon consent as the lawful purpose for processing most  employee personal data, because of the imbalance of power in the  employer/employee relationship. There are, of course, other lawful purposes which most employer processing activities will fall under,  but in accordance with the new  accountability principles, you will need to be clear from the outset of  the lawful purpose on which they  are relying. ...
This is member only content

Please LOGIN to read the full article.

Not a member? Please click here to join today.

More from Education

Close