The General Data Protection Regulation (‘GDPR’) comes into force in less than two months. From an HR perspective it imposes data obligations on any US, European or other employer with EU-based staff. Failure to comply with the GDPR regime can result in significant fines and disruption to your business. Are you ready?
Our first blog deals with ‘privacy notices’ aimed at staff. GDPR requires employers to give information to their workforce, setting out in particular the personal data (employee information) the employer holds about them, how it is used, and with whom the information is shared.
1. We already give staff a privacy notice under existing data protection laws. Is that enough?
No. GDPR imposes new requirements on employers. Employers must give more detailed information than is currently required under existing EU data protection laws. Employers also need to ensure that their privacy notices accurately reflect their workforce data processing activities.
2. Our privacy notice is very long and complex. Is that a problem?
Yes. You should make sure that your privacy notices are concise, understandable, accessible and use clear and plain language. It can be hard to reconcile this with the obligation mentioned above about giving detailed information. One way of doing this is to adopt a ‘layered approach’ – that is, you can have a short privacy notice setting out just the key privacy information, with links to more detailed information elsewhere for those who want it. Another way is to have a different privacy notice for each type of data subject. For staff, you can present the information in a Q&A format
3. How should I deliver privacy notices to my workforce?
Employers can deliver privacy notices to their staff in whatever ways are most appropriate. For example, the privacy notice could be included with staff payslips, hand-delivered at a meeting against acknowledgement of receipt, or communicated electronically via the company intranet or by email. We would not generally recommend simply posting on noticeboards in a public area as this may not sufficiently document that the information has been provided to all of the workforce. A blended approach may well be necessary to ensure that privacy notices are seen by all staff, some of whom, for example, may not have easy access to emails.
4. Can I use one privacy notice for all the different categories of staff in my business?
You should consider whether it is appropriate to have different, tailored privacy notices for different types of individual in your business. This will help you comply with the requirement that privacy notices should be concise. It would be good practice, for example, to consider having one privacy notice for your employees, workers and consultants, and a separate shorter privacy notice for recruitment candidates, where an employer typically processes more limited categories of information.
5. Last but not least, what information do I need to give to my staff?
Article 13 of the GDPR requires that various types of information be given to data subjects (employees and other staff), including the following:
- the employer’s name and contact details, and the Data Protection Officer’s contact details (if applicable),
- the purposes and legal basis of processing,
- the categories of personal data concerned,
- the recipients of staff personal data and, if such data is transferred outside the EEA, the protective measures to safeguard such transfers,
- retention periods for such data,
- details of data subject rights (including, among other things, rights to correct and access their information and ask for it to be erased), and
- the right to lodge a complaint with a data protection authority.