In spring 2018 inboxes were bombarded with emails relating to GDPR. There has also been a great deal in the press which suggests that you are no longer allowed to hold so much, if any personal data about your staff or others.
However, not holding personal data conflicts with the usual way to manage health and safety risks. For example, most employers hold training records, copies of personal licences and accreditations, etc. So you are no longer allowed to do this?
The GDPR will not require you to embark on a mass shredding exercise. However, the legislation does impose duties which enforce you to take certain actions that will allow you to hold and share the personal data you may need to manage health and safety risks effectively.
Article 5 of the GDPR requires those who hold personal data to process it lawfully, fairly and in a transparent manner.
The key principles to ensure there is a lawful basis for you to hold personal data are: (1) you are under legal obligation; or (2) you have a legitimate interest.
You are under a legal obligation to hold or use personal data for a number of reasons.
For example, in the event of a serious accident you are under a strict duty to make a report to the HSE in line with the Reporting of Injuries, Diseases and Dangerous Occurrences Regulation 2013. These regulations require you to provide detailed information about the injured party.
Another strict requirement is for employers to hold health surveillance records for a period of at least 40 years. Again, this cannot be achieved without holding personal data.
On a purely practical level you must hold information about your staff. For example, training records, details of competency cards, etc. These examples fall into the legitimate interest
The GDPR requires transparency. This means that the individuals have the right to be informed about the collection and use of their personal data.