Top 7 Data Protection Tips for Employers
An overview of the top 7 considerations for employer’s to comply with the retained General Data Protection Regulation ((EU) 2016/679) (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
1. Are your employment contracts compliant?
- Pre-GDPR, many employment contracts referred to employees consenting to their data being processed. This is no longer appropriate and contracts that refer to consent should be updated.
- Employment contracts should contain sufficiently robust data protection and confidentiality obligations, ideally tied to an enforceable data protection handbook or policy (see question 2).
- Employment contracts should contain accurate and up to date references to applicable data protection law post-Brexit.
2. Do you have employee and job applicant privacy notices?
- Organisations are required to have privacy notices that set out how the organisation will obtain, handle, process or store employee personal data.
- Employees and job applicants should be made aware of their rights under data protection law via these privacy notices.
- In addition, you will need to prepare and maintain an “appropriate policy document” in relation to your processing of special categories of personal data and criminal convictions or offence information.
3. Do you have a data protection handbook (or instructions manual) for employees to follow?
- Your employees’ obligations (both general and role specific) and your expectations of them in relation to data protection should be clearly set out, ideally in a data protection handbook.
- A data protection handbook will assist you to comply with the accountability obligations under the UK GDPR.
4. Who has overall responsibility for data protection compliance (and do you need a data protection officer (DPO))?
- As an employer, you will need a DPO if you are an organisation that either: (a) is a public authority; (b) carries out large scale systematic monitoring of individuals; or (c) carries out large scale processing of special categories of data or data relating to criminal convictions.
- Even if your organisation does not fall into any of the three categories above, you can still appoint a DPO. Alternatively, you can appoint an individual who will be responsible for compliance with regulatory requirements.
- A DPO will be responsible for monitoring and advising on compliance with the UK GDPR. The DPO will also be the first port of call for supervisory authorities and will have to comply with obligations as defined in UK GDPR Article 37-39.
5. Do you train and audit your staff?
- Employees that have regular or permanent access to personal data or are involved in the development of tools or software used to process personal data should be given appropriate training.
6. Are you undertaking any high risk processing that may require a Data Protection Impact Assessment (DPIA)?
- Employers should undertake a DPIA to identify and minimise non-compliance risks.
- You must undertake a DPIA “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the rights and freedoms of individuals”.
- A DPIA should include a description of the envisaged processing operations and the purposes of processing, an assessment of the need for and proportionality of processing the information and the risks to data subjects and measures to mitigate those risks to comply with the UK GDPR.
7. What happens if you do not comply with the UK GDPR and the DPA 2018?
- Under the UK GDPR, you can receive a fine of up to 4% of global annual turnover, or £17,500,000, whichever is higher, for breaches of: (a) processing, including consent conditions; (b) data subjects’ rights, and; (c) international transfers.
- For other breaches, you can receive a fine of up to 2% of global turnover, or £8,700,000, whichever is higher, for infringements such as the failure to main written records and the failure to report breaches where required.
This article was written by MarcUs-Ong.
Record success for Charles Russell Speechlys’ Private Wealth practice in Chambers HNW 2021 directory
We are delighted to have once again been recognised as a leader in our field in the Chambers High Net Worth 2021 Guide.
Finance Bill 21/22: the implications for corporate taxpayers
The Finance Bill 2021-2022 was published yesterday. What impact will this have on corporate tax payers?
Barclay v Barclay: A Stark Reminder for Badly Behaved High-Profile Litigants
David considers the Barclay v Barclay case and if the judgment should be published, given it's severe criticism of Lord Barclay's conduct
Michael Powner writes for People Management and explains how employers can carry out an equal pay audit
How do employers carry out an equal pay audit?
Charles Russell Speechlys advises Duke Royalty on royalty financing agreement with Fairmed Healthcare AG
Duke Royalty is the leading provider of royalty finance to companies in the UK and Europe.
Charles Russell Speechlys shortlisted for Best EIS/SEIS Legal/Regulatory Adviser at 2021 EISA Awards
The Awards denote excellence and recognise the achievements of EIS/SEIS practitioners over the past year.
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Charles Russell Speechlys advises on the sale of No.1 Lounges Ltd to SwissportALD
SwissportALD will run nine No.1 Lounge properties at the UK’s London Heathrow, London Gatwick, and Birmingham airports.
The regulation of big tech: a changing tide?
Sonia takes a look at the two main areas where the UK is increasing the regulation of Big Tech in 2021
Charles Russell Speechlys releases H1 2021 deal highlights
Our deal highlights from the past 6 months are now available.
Housing-with-care considered in first ever parliamentary debate
The first ever formal parliamentary debate into housing-with-care focussed on the effect of the Covid-19 pandemic on retirement communities
Q&A: Duval and consent for alterations
Q&A from a landlord and tenant on consent to carry out works in the light of the Supreme Court ruling in Duval.
Dispensation from consultation and major works
The Court of Appeal upheld the FTT judgement in Aster Communities v Chapman & Others, but what does this mean for landlords and tenants?
Property Patter: the whys and wherefores of receivership
What is a fixed charge receiver?
Force majeure and COVID-19: claims of the unexpected
John and Simon look at a force majeure claim arising out of the pandemic and the application of the Braganza duty.
Changes to Right to Work Checks from 1 July 2021
EEA citizens and their family members are required to evidence immigration status in the UK, in the same way as other foreign nationals.
Later Living: The rise of retirement villages
As the over 65 years population continues to rise and retirement living grows, what does this mean for lenders?
Property finance disputes - what can be recovered from negligent advisors?
Manchester Building Society v Grant Thornton UK LLP – Clarification of the SAAMCO test by the Supreme Court
Mind the Gap: Top 10 Tips where there is Unregistered Land between Adopted Highway and Development Land
Providing you with the top ten tips of Unregistered Land between Adopted Highway and Development Land - what should you know?
Charles Russell Speechlys advises Silbury Finance on a £47m facility to a joint venture between Octopus Real Estate, Schroders Real Estate and Audley
The joint venture will finance the development of a 74 unit retirement living village in Cobham, Surrey.