Following on from our GDPR compliance top-tips and our jargon buster here are ten practical tips to ensure your Privacy Notice is regulation ready.
Employers and businesses who retain personal data (Data Controllers) must provide their employees (Data Subjects) with information about their data processing activities. This means employers need to provide clear information on how they will be handling/collecting and using personal data. Existing Privacy Notices are unlikely to be sufficient to comply with the Regulations which lay out new detailed requirements that Privacy Notices must meet. Broadly speaking, some of those requirements can be summarised as follows (although specific advice requires to be taken):
1.Use clear and straightforward language and a simple style which employees will easily understand;
2.Avoid using confusing terminology or legal jargon which may confuse employees;
3.Clearly set out who the Data Controller(s) are for the purposes of data processing providing contact details (including of a Data Protection Officer if possible);
4.Clearly explain what information the employer will collect from employees, the legal basis for this and the purposes it will be used for, at the time of data collection;
5.Explain any “legitimate interests” the employer seeks to rely upon and give details of any transfers outside the EEA (with details of adequacy safeguards taken);
6.Specifically explain who, if anyone, the information will be shared with and why;
7.Identify any third party sources which will be used to collect personal data about employees, the uses, period it will be retained for, and notify the employees within one month of collection;
8.Notify employees of the period for which their personal data shall be stored or the criteria used to determine that period;
9.Meet different needs; this may mean having separate Privacy Notices for existing employees and for recruitment purposes; and
10.Highlight the specific individual rights that employees have under GDPR and their right to complain to the ICO.