GDPR covers how we process and use personal data (any type of written data that identifies a living human subject). This is not just HR but covers IT, legal, finance etc. This applies to both current and ex-employees, pensioners and job applicants and information held either electronically or in hard copy. We can continue to process data if it is to comply with a legal obligation, for example, court orders to remove money from pay. We can also process data to comply with the employment contract for example, collecting medical information to ensure job safety. Processing needs to be fair, legal and transparent so we need to tell employees about what information we hold on them and what we do with it in detail, use data only for specified purposes and cleanse, delete and secure data in line with the guidance.
We undertook a data audit to be aware of the data we hold, process and store. This was then used as a basis for formulating a new Data Protection Group Policy and Job Applicant Privacy Notices to explain to people the data we store and process and the reasons for this.
This helps to ensure the security of personal data and increase awareness of individuals regarding how their data is stored and used. It is a positive step in protecting the rights of individuals and ensuring that companies who store and use data are clear and transparent about what they do with data and why they do it.