As featured in the Guernsey Press Business Panel.
I look after HR for a small company. I am concerned as we have not considered GDPR. I am worried that I need to gain our employees’ consent to continue to hold information about them. Is this true?
Hana Plsek, senior associate at Collas Crill, replies:
Guernsey’s new data protection law, which is based on the European GDPR legislation, will impact how you deal with your employees.
However, it can have broader implications as it also applies to information you hold on individuals outside your firm such as clients or third-party service providers.
As such, a business’s response to the new law would ideally be driven by those who manage your internal systems and data control.
There has been much scaremongering about what you need to do in relation to information held and what consents are needed.
In simple terms, a company does not need to gain consent from its employees to hold information where it holds that information to enable it to fulfil its contract of employment with them or meet some other legal obligation. By way of example, holding an employee’s bank details would not require consent because it is necessary to pay their salary each month.
There may also be information employers hold on their employees that whilst not strictly necessary under law is necessary for the purposes of the employer’s legitimate interests.
An example of this would be information retained to show regulatory compliance. Consent is also not necessary to hold this data.
Beyond these and a few other more specific categories of information holding, consent would be required to hold employee data.
As a general principle, however, the new law requires employers to minimise the data they hold on employees to that which is necessary – this should be considered as an overarching principle.
In addition to working out how and why you are entitled to hold employee information, you need to inform your employees of what information you hold and intend to keep holding that relates to them and how you intend to manage this data.
This can be achieved through a privacy notice outlining the information you hold in relation to the employees, the lawful basis on which you are processing that data as well as other specified details such as who you may share it with and why.
The new law became effective on Friday 25 May 2018.
We would recommend companies look at their privacy regimes now to the extent they have not already done so.
There are some employment-specific privacy issues, such as the sensitivity of data around trade union membership, so we would recommend employers uncertain of their obligations seek appropriate advice.