Following our General Data Protection Regulation (“GDPR”) sessions held in London and Cambridge last month, we have put together our top 10 practical tips for employers to consider, from a documentation and process viewpoint, one year on from the introduction of the GDPR.
1. Embed data protection in your workplace culture
Data protection compliance is an organisation-wide responsibility – educating employees and raising awareness at all levels is essential.
Implement policies and procedures to set out your organisation’s approach to data privacy and apply and enforce these robustly by highlighting consequences of non-compliance. Build a programme of staff training into your education programme, to ensure your workforce understands their obligations when handling the company’s data.
2. Revisit your contracts of employment
Do not rely on the employees’ consent to process their personal data. Instead, determine whether you are relying on one or more of the following lawful grounds: legitimate interests, performance of contract or legal obligation. Ensure your contracts of employment are updated accordingly.
If you are concerned about whether you can rely on “legitimate interest” as your lawful basis for any particular processing activity, complete and retain the Legitimate Interest Assessment Tool, to identify and reduce privacy risks.
3. Issue a staff privacy notice
A key principle under the GDPR is the right to be informed about how personal data is processed. Think about how your organisations will comply with this requirement. Our recommendation is that all staff are issued with a privacy notice (this can be sent in short-form to job applicants).
When creating your organisation’s privacy notice, refer to the ICO website for full guidance on the information you should be including.
4. Implement a data protection policy/privacy standard
Effective policies or privacy standards are crucial tools to make employees aware of their data protection responsibilities when handling personal data.
Have your data protection policies (and those relating to IT use or monitoring activities) been updated? Effective policies are key to ensure your staff understand their responsibilities in connection with data protection.
5. Review all recruitment and benefit forms
Applying the principle of data minimisation under the GDPR, ensure you are only asking for necessary information in your recruitment and benefit forms.
Consider the data you are transferring to third parties (such as to external payroll, healthcare or pension providers) and ensure the additional data-controller-to-processor contractual arrangements under the GDPR are in place.
6. Have a uniform approach to data subject access requests (“DSAR”)
Use a short form policy to ensure that employees are aware of what DSARs are and how the company will deal with them.
Document your internal procedures for dealing with DSARs to ensure a uniform and timely response. Consider drafting template response documents to support the DSAR policy.
7. Know what to do in the event of a personal data breach
Make sure your employees can recognise a personal data breach and know how to report it internally.
For the individual(s) handling the breach, implement guidelines to help them identify risks from the breach; assess whether notification obligations have arisen and implement preventative measures for the future.
8. Set out your procedure on retention and destruction of HR documents
Do not retain data for longer than is necessary and ensure the data being retained is kept for legitimate purposes.
Document your retention periods (along with reasons why you have determined the relevant retention periods) in a company-wide policy and/or a standalone HR document policy.
9. Review all consultancy agreements
Conduct a review of the handling of personal data between your organisation and consultants. Issue a privacy notice to the consultant where necessary.
If the consultant will be processing the company’s personal data in carrying out the consultancy services, the consultancy agreement must contain mandatory processor obligations.
10. And don’t forget…
To pay your data protection fee – the ICO is levying fines against organisations who fail to pay!