GDPR and Data Protection requirements for employers.

DATA PROTECTION FOR EMPLOYMENT

Gill Wooldridge takes a look at GDPR and Data Protection requirements for employers. Please contact Gill Wooldridge in our employment team if we can be of help on any employment law issue at gill@bradleyhayneslaw.co.uk or on 01905 900919 

Introduction

The Data Protection Act 2018 brought GDPR into UK law and has established our position on data protection post Brexit (if and when it happens!). GDPR has provided the biggest shake up on data privacy in 20 years and has far reaching implications for employers. GDPR regulates the processing of personal data and includes it’s collection, storage, use, alteration, disclosure and destruction. These are some of the steps that employers need to take to ensure compliance for their business.

Audit

The first step is to carry out an audit of what data you currently hold and the legal basis of processing this information.  This should include personal data of job applicants, employees, contractors and other workers.  You need to ask who supplies the data and who do you share it with?  How is it collected and what it the reason for collecting, storing and processing? How long do you need to keep it for?  In considering where it is held, this could be both manual and electronic systems and would include provisions to ensure data security.  Particular attention should be paid to sensitive data which is shared with third parties such as payroll providers for legitimate business reasons.

Data retention

Data retention, either hardcopy or electronic is an important consideration under GDPR.  As a guide, applicant information should be kept for 6 months to a year, payroll records for 3 years after employee leaves, salary/wage records (including overtime, bonus and expenses) for 6 years and contracts of employment and employee records for 6 years after an employee leaves (in line with the six year limit to start legal proceedings). Records should be kept as long as needed, but no longer and then securely destroyed.

Employment contracts and staff handbooks

Contracts of employment and staff handbooks need to be reviewed and updated. You need to ensure that your contracts of employment no longer contain data protection consent provisions.  Any procedures in your staff handbook that are specifically related to data protection or involve monitoring or processing of personal data e.g. email and internet communications, data protection policies, CCTV monitoring, will need updating.

Transparency is key, providing clear and accessible information to data subjects is a fundamental part of complying with the requirements of the Data Protection Act 2018.

Under GDPR, it is recommended to identify a legal basis for processing the data, not to rely on consent, due to the imbalance of power in an employment relationship. Instead data protection policies and privacy notices should set out how the employer will comply with its obligations, the types of data being processed and the lawful basis for that processing,

Privacy Notice

Privacy notice’s should be issued to all current employees, contractors, consultants and applicants.  This should identify the name of the employer, what information is being collected and why the employer needs that information.  These will need to be tailored to the different data subjects, for example, applicants will need a different privacy notice to an employee.

Once the privacy notice has been implemented, it is also good practice to regularly review its contents so that it remains accurate and up to date.

Third Parties

You need to review contract terms with third parties such as payroll, benefits providers, occupational health, to ensure that they are compliant under GDPR.

Subject Access Request

Under GDPR, subject access requests should be dealt with within one month (previously 40 days) and will need to provide the data subject with additional information such as, when a response will be received.  There should be no fee for providing information and details of the Companies data retention periods and the right to have inaccurate data corrected or removed should be provided.

Compliance

It’s important to be able to demonstrate compliance with the new GDPR regulations and the ICO have a range of corrective powers and sanctions to enforce compliance.  A written record should be kept of all the data processed by the Company. This includes having a procedure to detect, report and investigate data breaches. Any serious breaches including data theft, damage or breach of confidentiality are reportable to ICO within 72 hours of the breach taking place.

Data Protection Officer

Unless you are a public authority or you are a large scale processor of data, it is not necessary to have a Data Protection Officer.  However, it is important to have a GDPR ‘Champion’ who has the knowledge, support and authority to take responsibility for compliance within the Company.

Staff Training

Staff need to understand all the relevant procedures in the staff handbook and in particular the privacy notice.  They need to know what to do in case of a data breach and who to report it to within the Company.  This should be covered at induction and also at regular periods during employment as part of a data protection training programme.

Finally!

Don’t panic if you haven’t complied with all the above.  This should not cause undue concern with ICO as long as actively engaging with GDPR obligations and taking steps to ensure compliance.

How can we help?

We provide advice and guidance on any of the above and can ensure that your employment documents or HR practices are up to date on data protection.  Please contact Gill Wooldridge in our employment team for further information: gill@bradleyhayneslaw.co.uk

This information is intended as a guide and is not legal advice.