The General Data Protection Regulation (GDPR) came into effect on Friday 25th May 2018. There was a massive amount of publicity around this subject with most of it relating to the processing of personal data held about customers or potential customers. But GDPR has a significant impact on businesses that employ people, including workers and consultants who work for the business.
A great deal of what a business does in relation to its employees involves the processing of personal data: background checks, contracts of employment, disciplinary proceedings, grievance proceedings, annual reviews, payroll, benefits, training, sickness procedures and health records, monitoring performance, CCTV images of employees, clocking in and out, security checks, files notes, minutes of meetings, emails referring to employees (even indirectly). All of these will involve the processing of personal data, and so GDPR applies.
When we talk about GDPR with organisations and businesses, we ask about the personal data they hold on their own people. Sometimes we see the penny drop. GDPR isn't just about mailing lists and customer personal data. GDPR puts data security and privacy of employees' personal data at the forefront of an employer’s consideration. It creates significant rights for employees in relation to their personal data and substantial penalties for an employer who breaks the law.
The main points are to know what personal data you hold about employees, why you keep it, where you keep it, what you do with it, and providing information to employees about that data.