Ensuring GDPR Compliance Regarding Your Employee Data in the SME Sector.

By Louisa Meehan, Woodview HRM

The new General Data Protection Regulation (GDPR) regulations come into effect in Ireland on May 25th 2018.  There has been much discussion in the business community regarding preparation and compliance regarding our customer data, but what about your employee data? When it comes to our employees, often we can hold much more sensitive and personal data than we ever would for a customer so are we giving them the same consideration regarding this information?

The Basics

Let’s take the opportunity to refresh on some of the basics first:

  • Personal data is any information related to an identified or identifiable natural person (‘data subject’). This definition not only includes names and other factors specific to the identity of the individual but also online identifiers such as an IP address and location data.
  • Sensitive personal data are specific categories of personal data related to a person’s: race or ethnicity; political, religious or philosophical beliefs; sexual life or sexual orientation; health; genetic or biometric data; criminal record; or trade union membership. There are additional requirements for the protection of sensitive personal data.
  • Processing of personal data – this can cover the many different uses of that data, including: collecting, recording, storing, adapting, using, disclosing, destructing and deleting data.
  • The General Data Protection Regulation (GDPR) applies to both ‘data controllers’ and ‘data processors’:
  1. A data controller is a person/company/other body, who either alone or with others, controls the contents and use of personal data.
  2. A data processor is a person/company/ other body, who processes personal data on behalf of a data controller but does not include an employee of the data controller who processes such data, in the course of his/her employment.
  • The rights cover data related to identified or identifiable persons (e.g. customers or employees) held either electronically or physically – this includes physical files, emails, Customer Relationship Management (CRM) systems, images or recordings of individuals. (Source: IBEC, 2018)

That’s a lot to take in, so let’s make it simple! Organisations need to have a plan in place regarding why and how they obtain any personal data (especially sensitive personal data) regarding anyone, who can access it, how it is stored, and when / how it is destroyed. In addition, should someone, an employee for example, make a data request (also known as a Subject Access Request or SAR) then then organisation must be in a position to provide all personal data held regarding that individual within 30 days of the request.

As a business, you get to decide on your policy regarding your HR data retention policy, however it must be realistic and justifiable. The industry sector, the relevant legislation and data type need to be taken into account when making this determination.

Typical HR Data

During the employee lifecycle, quite a lot of personal and potentially sensitive data is requested and created. A key action for any organisation to take is to identify what data they hold and create guidelines regarding its retention. The creation of a template, such as this example regarding recruitment below, would be beneficial:

Stage in LifecycleDataStorage LocationAccessRetention Period
RecruitmentApplicationsRecruitment and HR FileHREmployment Period for employee

1 year post recruitment date for applicants

CVRecruitment and HR FileHREmployment Period for employee

1 year post recruitment date for applicants

Medical FormsHR FileHREmployment Period
Pension DetailsHR FileHRIn line with Pension and / or Death
P45Payroll FilePayrollIn line with revenue
Selection GridHR FileHREmployment Period for employee

1 year post recruitment date for applicants

Interview NotesHR FileHREmployment Period for employee

1 year post recruitment date for applicants

Passport or other proof of identityHR FileHREmployment Period
Other

Each organisation will be unique in terms of the employee data they gather, but what they all need to do however is have clarity on this process and know why the data is being kept. They need to be able to identify why it has been requested, how it is used, who has access to it, where it is stored (this should be very secure; a locked area for hardcopies; a secured IT drive with appropriate back up, encryption and security access for soft copies) and how long it will be retained for. The sample above is just that, an example. In real terms this would require more input and details with organisational specifics.

This is an excellent opportunity for an organisation to review the type of data being held regarding their employees and gain clarity on the necessity behind retaining a copy of same.

Other typical areas that organisations will need to consider will be performance management, grievance and disciplinary handling, leave requests (forms / letters / emails), next of kin records, pension records, payroll / tax / PRSI records, life insurance policy, health insurance policy, medical information and health insurance. There may well be other areas in your company.  A good way to do a review is to carry out a sample HR audit on files and documents to ascertain what data is stored on them, whilst also reviewing the ‘other’ information HR, line managers, payroll, occupational health, pensions hold as well.

When setting retention periods organisations should consider statutory requirements, company needs, limitation periods and data protection requirements. Some employee data has minimum statutory retention periods, for example:

Wage Information3 years
Working hours and related information3 years
Collective redundancy information3 years
Parental leave records8 years
Carer’s leave3 years
Employment permit records5 years or period equal to duration of employment (whichever is longer)
Accident records10 years

Other data needs to be retained taking claim periods into account, e.g. breach of contract is 6 years, unfair dismissals 1 year, personal injuries are 2 years.

Employees

When it comes to employees, you could be forgiven for thinking of your current pool of staff that you work with on a daily basis, however you would be mistaken. Employee’s include anyone who has applied for a position in the company and past employees.

With applicants, it is recommended to retain the recruitment file for a period of up to 12 months following the completion of the recruitment campaign should an unsuccessful applicant take a case against the company in the WRC e.g. under the Equality Legislation.

For past employees, it is recommended that the full HR file is retained for a period of 12 months should an employee take a case of unfair dismissal following termination of employment. Following this, a record of the period of employment will need to be retained along with necessary tax and pension information, once same has been identified.

First Steps

Understanding what data you have and limiting this to what you need is the most important first step.  As with all things HR the most important thing to do is set your policy, be clear and follow your policy. For GDPR that means asking the following questions:

  • What data do you hold?
  • Why do you hold the data?
  • Where the data is stored hard / soft copy – have you ensured security of same?
  • When do you need this data: set retention periods for each type of data stored?
  • Who in the organisation (HR/Finance/MD/Line Manager/Payroll etc.) has access to each piece of data, understanding that an employee can request all data held on them at any time?
  • How have you reached your conclusions? Ensure your policy is both realistic and justifiable.

And as with all data that is ‘constructed’ online or offline (i.e. printed in hard copy), it’s important to have a destruction policy for the data, post the expiry of the retention policies that are listed above. Investing in a cross cut shredder is an imperative and this must be at level P-5, due to the sensitive nature of the data that is and will be destroyed in your organisation.

[author] [author_image timthumb=’on’]https://safesandshredders.ie/wp-content/uploads/2018/05/Louisa-Meehan.jpg[/author_image] [author_info]Louisa Meehan of Woodview HRM specialises in Mediation and HR support for the small business community. She has a range of support services on offer with extensive industry experience to help you succeed in your small business growth. For more information contact: louisa@woodviewhrm.com [/author_info] [/author]