Employers must provide information to their employees to ensure that they are transparent about how they are processing personal data. Specific information must be provided which is wider than existing requirements.
In general, privacy notices need to be much more detailed. Although much of the information may already be contained within your existing policies, it would be useful to review all your policies and ensure they work together in tandem and reflect each other in terms of what they say you will do with employee’s personal data.
Issuing privacy notices
Privacy notices must be issued before or at the time of data collection. In an employment context, employers and HR managers must be conscious of this from the recruitment stage, as you will be receiving personal data at this stage and as such must comply with GDPR and the notice requirements even then. Employers must also provide notice during the employment relationship.
What to include in your privacy notices
- The identity and contact details of the data controller and data protection officer
- The purposes of processing the personal data and the legal basis for it
- Where the processing is based on legitimate interests, specify the interests being pursued by the employ or the third party
- The recipients of the personal data
- Information on any cross-border data transfers outside the EEA.
- The data retention period
- A brief explanation of the right to have information deleted, rectified and the right to object to processing
- The right to withdraw consent to processing
- The right to complain to the ICO.
What should HR professionals do?
- Perform an audit in relation to the data that is being collected and consider why the data is required and how long it is required
- Review all existing policies and information notices to ensure they comply with the GDPR’s new requirements and update them where required