• news-banner

    Expert Insights

Top 7 Data Protection Tips for Employers

An overview of the top 7 considerations for employer’s to comply with the retained General Data Protection Regulation ((EU) 2016/679) (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

1. Are your employment contracts compliant?

  • Pre-GDPR, many employment contracts referred to employees consenting to their data being processed. This is no longer appropriate and contracts that refer to consent should be updated.
  • Employment contracts should contain sufficiently robust data protection and confidentiality obligations, ideally tied to an enforceable data protection handbook or policy (see question 2).
  • Employment contracts should contain accurate and up to date references to applicable data protection law post-Brexit.

2. Do you have employee and job applicant privacy notices?

  • Organisations are required to have privacy notices that set out how the organisation will obtain, handle, process or store employee personal data.
  • Employees and job applicants should be made aware of their rights under data protection law via these privacy notices.
  • In addition, you will need to prepare and maintain an “appropriate policy document” in relation to your processing of special categories of personal data and criminal convictions or offence information.

3. Do you have a data protection handbook (or instructions manual) for employees to follow?

  • Your employees’ obligations (both general and role specific) and your expectations of them in relation to data protection should be clearly set out, ideally in a data protection handbook.
  • A data protection handbook will assist you to comply with the accountability obligations under the UK GDPR.

4. Who has overall responsibility for data protection compliance (and do you need a data protection officer (DPO))?

  • As an employer, you will need a DPO if you are an organisation that either: (a) is a public authority; (b) carries out large scale systematic monitoring of individuals; or (c) carries out large scale processing of special categories of data or data relating to criminal convictions.
  • Even if your organisation does not fall into any of the three categories above, you can still appoint a DPO. Alternatively, you can appoint an individual who will be responsible for compliance with regulatory requirements.
  • A DPO will be responsible for monitoring and advising on compliance with the UK GDPR.  The DPO will also be the first port of call for supervisory authorities and will have to comply with obligations as defined in UK GDPR Article 37-39.

5. Do you train and audit your staff?

  • Employees that have regular or permanent access to personal data or are involved in the development of tools or software used to process personal data should be given appropriate training.

6. Are you undertaking any high risk processing that may require a Data Protection Impact Assessment (DPIA)?

  • Employers should undertake a DPIA to identify and minimise non-compliance risks.
  • You must undertake a DPIA “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the rights and freedoms of individuals”.
  • A DPIA should include a description of the envisaged processing operations and the purposes of processing, an assessment of the need for and proportionality of processing the information and the risks to data subjects and measures to mitigate those risks to comply with the UK GDPR.

7. What happens if you do not comply with the UK GDPR and the DPA 2018?

  • Under the UK GDPR, you can receive a fine of up to 4% of global annual turnover, or £17,500,000, whichever is higher, for breaches of: (a) processing, including consent conditions; (b) data subjects’ rights, and; (c) international transfers.
  • For other breaches, you can receive a fine of up to 2% of global turnover, or £8,700,000, whichever is higher, for infringements such as the failure to main written records and the failure to report breaches where required.

Our thinking

  • IBA Annual Conference 2023

    Charlotte Ford


  • Mental Health Management

    Nick Hurley


  • Calculating Social Value in BTR

    Francis Ho


  • Dangers of trusts

    Mark Summers


  • In-House Insights

    Megan Paul


  • Heritage property and conditional exemption

    Sarah Wray


  • City AM quotes Gareth Mills on the CMA’s new set of principles for regulating AI

    Gareth Mills

    In the Press

  • Hamish Perry and Mike Barrington write for The Evening Standard on whether a merger between the CBI and Make UK can work

    Hamish Perry

    In the Press

  • Silicon quotes Gareth Mills on the UK consumer lawsuit against Google

    Gareth Mills

    In the Press

  • Property Week quotes Louise Ward on the additional support required by aspiring UK life sciences operators

    Louise Ward

    In the Press

  • Sarah Higgins and David Wells-Cole write for Wealth Briefing on the pitfalls of using unregulated legal services

    Sarah Higgins

    In the Press

  • Charles Russell Speechlys’ UK offices receive environmental certification

    Kerry Stares


  • Case analysis: URS Corporation Ltd V BDW Trading Ltd

    James Worthington


  • True value adjudications; don’t jump the gun!

    Christopher Busaileh


  • Financial Reporter quotes Rhys Novak on a new FCA review into the treatment of PEPs

    Rhys Novak

    In the Press

  • In-House Insights Programme 23/24

    Megan Paul


  • Restrictive covenants – who has the benefit?

    Georgina Muskett


  • First time buyers relief and trusts

    Sarah Wray


  • City AM quotes Ashwin Pillay on the latest round of ONS M&A statistics

    Ashwin Pillay

    In the Press

  • Property Patter: Top 5 Notice Traps

    Emma Humphreys


Back to top