GDPR compliance for employers
The General Data Protection Regulation (GDPR) came into effect in the UK on 25 May 2018 and now employers face stricter rules on how they advise their employees on the personal data that they collect about them and what they do with that information, including how the information is used, stored, transferred, secured, and the employees’ rights in relation to the data stored.
As an employer you will be a “data controller” under the GDPR and in that capacity your data subjects (employees, job applicants, contractors etc.) will have certain rights and you will have corresponding obligations. To help you to comply with the requirements of the GDPR, Simply-Docs has now updated many of its employment documents and also created a range of new GDPR-related documents. Some of the key areas of change are set out below.
Employment Contracts and Privacy Notice for Employees and Contractors
Simply-Docs has updated all of its employment contracts with a GDPR-compliant data processing clause and after 25 May 2018 you should only issue employment contracts including this new clause.
You will not have to re-issue employment contracts to existing employees to ensure GDPR-compliance. Instead, current staff should be issued with a Privacy Notice to Staff document.
Employee Data Protection Policy
The Employee Data Protection Policy sets out the rights of data subjects and the obligations of an employer in its capacity as a data controller under the GDPR, setting out a number of organisational and procedural measures to help ensure compliance.
Job Applicant Privacy Notice
Don’t forget that if you are recruiting you will also be collecting personal data from job applicants. We have created a GDPR-compliant
Job Applicant Privacy Notice which provides job applicants with information about how their personal data will be used during the recruitment process.
Subject Access Requests
The GDPR allows individuals to access information from organisations that process their personal data by means of a subject access request. As the GDPR applies to all personal data that an organisation processes, employers should accept subject access requests not just from employees, but also from workers, contractors, apprentices, volunteers, and anyone else about whom they hold personal data.
Our documents include a GDPR Subject Access Request Form and a variety of letters that can be used by the employer to respond to different Subject Access Request scenarios.
Bring Your Own Device Policy and Disciplinary Policy
Both the BYOD Policy and Disciplinary Policy have been updated to reflect the requirements of the GDPR.
In the event of a failure to comply with obligations under the GDPR, employers should be aware that they can be subject to fines of up to €20 million or 4% of the undertaking's worldwide annual turnover, whichever is higher.
That being said, it is important not to panic. These are the maximum penalties and will be reserved for those deliberately misusing personal data on a large scale. The key for small businesses at this point is to be doing the best that they can. The Information Commissioner, Elizabeth Denham, recently pointed out that the ICO is not looking to go after those showing a willingness to comply and that any action taken against those who are non-compliant will be fair and proportionate.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.