GDPR and references

GDPR also affects employers giving references.

Banner

We reported earlier this year on the introduction of the General Data Protection Regulation (GDPR) which is a new EU regulation on data protectionIt affects everyone who does business with EU citizens and affect business of all sizes. The Regulations deal with the holding and processing of personal data of Europeans.  The new Regulations mean:

  • Genetic and biometric information will be included in the definition of 'sensitive data'
  • Explicit consent may be required before someone's data can be transferred outside the EU
  • Consent will be harder to obtain and can be withdrawn at any time
  • A new 'right to be forgotten' could allow someone to request that content they are linked to is removed
  • Using personal data must comply with one of six principles and an organisation must be able to demonstrate how it is complying
  • A user's IP address may be classified as 'sensitive personal data'
  • More information must be included in a privacy notice
  • Companies may be required to appoint a data protection officer
  • Breaches of data protection must be reported within certain time limits, usually between 24-72 hours
  • Supervisory authorities (like the Information Commissioner's Office) can issue fines of up to 4% of global annual turnover for data breaches

By way of reminder, the GDPR also affects employers giving references. As the above case demonstrates, revealing someone's sensitive medical data can cause difficulties and this could also be a breach of the GDPR. Employers should obtain the consent of the employee before revealing such information.

Employers should not retain documents for longer than is necessary. For most employers, this will mean keeping documents for six years – it might be hard for an employer to justify keeping information for longer than this.

Employers should review and update their policies and employers should be clear as to which employees can give references and to whom. Crucially, employers should record whether an outgoing employee consents to personal information being given in response to a reference request.

To discuss this or any other employment related issue, contact us.

The Law Society - Accredited: Conveyancing Quality apil: Accredited Personal Injury Specialist The Law Society Cyber Essentials