At Jane Systems we’ve made it our business to be an information source for the General Data Protection Regulations, and as implementation on May 25th draws near we’re seeing our customers approach data protection with the same diligence and professionalism that they show in every other aspect of their work.
The core principle of GDPR is the enhancement of the rights of the individual when it comes to storage and use of their data. These individuals – data subjects – have the right to know exactly what their personal information is being used for, and how long and how securely it will be stored. Data subjects are no longer under pressure to give blanket consent for multiple uses of their details. They can drill down into the fine print of what’s being asked of them, and make sure the people who hold their data have their facts right. From a HR perspective, employees and job applicants are data subjects you’ll come across every day. As individual data subjects we all stand to benefit from this.
The data controller is the person or body that determines the type of personal data that’s required, as well as the objective and method of processing that data. An employer who need to hold their people’s dates of birth and national insurance and remuneration details to process their payroll and satisfy HMRC regulations fulfil the function of data controller. That gives them key responsibilities and increasing levels of obligation. Whatever action they take in this arena, they need to justify it.
Data processors are essentially “middlemen”, taking responsibility for processing personal information on behalf of the data controller and following their instructions. The data processor may collect, record, store and retrieve third party information, and it’s their duty to do this in a way that’s fully compliant with GDPR and with data protection law in general. Jane Systems is an active data processor, and it’s our job to be a compliant, supportive partner at all times.
Identifying the legal basis for requesting subject data. If you have no clear reason to hold information, why exactly are you seeking it?
Securing clear, unambiguous consent. Do your people know what’s being asked of them and what the consequences will be? And do they explicitly agree to these things? If they don’t, you have a problem.
Is your employee data portable? Are you giving them the option of moving, copying or transferring their information between IT environments? It’s their data, and they have the right to its secure movement.
Are you protecting the data rights of your people? GDPR enhances those rights. If you don’t know how, it’s time you found out.