How does GDPR affect me as an employer? Corporate & Commercial
To comply with GDPR (the General Data Protection Regulation) you need to be clear what data is held, where it is held, why you are holding it and for how long.
GDPR requires you to have a legal basis to process employee personal data. Consent is one option but this must be freely given with affirmative action required; pre-ticked boxes or inactivity won’t constitute valid consent.
You can however rely on the fulfilment of the employment contract as the legal basis e.g. to pay the employee, to comply with legal obligations or for administrative purposes. However, you should be careful about the type of data you hold and who has access to it, and once this data is no longer needed to carry out these functions, it should be destroyed.
You must tell employees and job applicants how their personal data will be used and if you wish to use it for a purpose other than that for which it was originally collected, you must inform employees of this new purpose.