From the 25th May 2018, to avoid the risk of breaching the General Data Protection Regulation, employer’s are obligated to take on new responsibilities, as well as updating their contracts, policies and procedures, in order to maintain compliance under the GDPR requirements.
This means employer’s must:
Review employment contracts and consent forms
- Ensure that the provisions of data protection are clearly set out in an employee contract.
- Make sure that content can only be requested for the intended purposes, and consent must be unambiguous, informed and freely given in a clear statement.
- Consider alternative lawful grounds for processing employee personal data, such as performance or their legitimate interests.
- Obtain separate consent when acquiring occupational health reports with clear records documenting consent and how it was procured.
Introduce or update their data protection policy.
- Showcase the importance of data protection
- Provide a clear definition of personal data.
- Explain the consequences of non-compliance.
- Provide details of what your data protection responsibilities are as an employer.
- Describe the collection and usage of their personal data.
- Include the employee’s responsibilities when handling data.
Employees should also undertake training alongside reviewing the data protection policy in order to maintain compliance.
Include the new data rights for employees including clear guidelines.
- The right to be forgotten
- The right to restrict processing
- The right to data portability.
These rights must be stated clearly in the employee contract, and not hidden by employers.
In order to facilitate these rights, an employer must have a clear processing system in place. Therefore, it is vital that existing procedures are reviewed, in order to establish its efficiency to accommodate the new employee rights.
For example:
If an employee asks you to delete personal data, can you locate and delete this data easily and efficiently?
Or you receive a data portability request, are you able to deliver data in a structured and machine readable format?
Employers should also implicate data protection operating, audit and record systems, including details such as the logistics of training, staff processing, and regular compliance checks including the use of privacy impact assessments and privacy by design.
Provide details regarding Subject Access Requests (SAR)
- Consider additional information that must be provided to employees.
- Be aware of the response time for Subject Access Requests, usually within one month.
- Compile a clear SAR policy alongside training for anyone dealing with the requests.
- Review and update template SARs and response letters.
Provide details of the organisation’s nominated Data Protection Officer (DPO)
- Both private and public sector employers must appoint a Data Protection Officer if they process a sizeable amount of personal data regularly.
- The Data Protection Officer is appointed to deal with compliance and any breach alerts.
- Organisations who may not need a DPO can appoint a Data Champion, which is a similar role although does not have the same mandatory requirements as DPO, as stated in the GDPR.
Include information regarding the international transfer of data
- Any employer who transfers personal data on an international level, including systems located outside the EU must provide employees with the details of this process, including how and when, as well as the safeguarding practices.
- It is important that employers inform employees of this process, to prevent personal data from being transferred internationally without the necessary precautions.
- Emails or applications such as Dropbox have been known to cause data breaches.
