Top 7 Data Protection Tips for Employers
An overview of the top 7 considerations for employer’s to comply with the retained General Data Protection Regulation ((EU) 2016/679) (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
1. Are your employment contracts compliant?
- Pre-GDPR, many employment contracts referred to employees consenting to their data being processed. This is no longer appropriate and contracts that refer to consent should be updated.
- Employment contracts should contain sufficiently robust data protection and confidentiality obligations, ideally tied to an enforceable data protection handbook or policy (see question 2).
- Employment contracts should contain accurate and up to date references to applicable data protection law post-Brexit.
2. Do you have employee and job applicant privacy notices?
- Organisations are required to have privacy notices that set out how the organisation will obtain, handle, process or store employee personal data.
- Employees and job applicants should be made aware of their rights under data protection law via these privacy notices.
- In addition, you will need to prepare and maintain an “appropriate policy document” in relation to your processing of special categories of personal data and criminal convictions or offence information.
3. Do you have a data protection handbook (or instructions manual) for employees to follow?
- Your employees’ obligations (both general and role specific) and your expectations of them in relation to data protection should be clearly set out, ideally in a data protection handbook.
- A data protection handbook will assist you to comply with the accountability obligations under the UK GDPR.
4. Who has overall responsibility for data protection compliance (and do you need a data protection officer (DPO))?
- As an employer, you will need a DPO if you are an organisation that either: (a) is a public authority; (b) carries out large scale systematic monitoring of individuals; or (c) carries out large scale processing of special categories of data or data relating to criminal convictions.
- Even if your organisation does not fall into any of the three categories above, you can still appoint a DPO. Alternatively, you can appoint an individual who will be responsible for compliance with regulatory requirements.
- A DPO will be responsible for monitoring and advising on compliance with the UK GDPR. The DPO will also be the first port of call for supervisory authorities and will have to comply with obligations as defined in UK GDPR Article 37-39.
5. Do you train and audit your staff?
- Employees that have regular or permanent access to personal data or are involved in the development of tools or software used to process personal data should be given appropriate training.
6. Are you undertaking any high risk processing that may require a Data Protection Impact Assessment (DPIA)?
- Employers should undertake a DPIA to identify and minimise non-compliance risks.
- You must undertake a DPIA “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the rights and freedoms of individuals”.
- A DPIA should include a description of the envisaged processing operations and the purposes of processing, an assessment of the need for and proportionality of processing the information and the risks to data subjects and measures to mitigate those risks to comply with the UK GDPR.
7. What happens if you do not comply with the UK GDPR and the DPA 2018?
- Under the UK GDPR, you can receive a fine of up to 4% of global annual turnover, or £17,500,000, whichever is higher, for breaches of: (a) processing, including consent conditions; (b) data subjects’ rights, and; (c) international transfers.
- For other breaches, you can receive a fine of up to 2% of global turnover, or £8,700,000, whichever is higher, for infringements such as the failure to main written records and the failure to report breaches where required.
This article was written by MarcUs-Ong.
Construction & Infrastructure Seminar
Experts will give insights and analysis on Building & Fire Safety, Case law updates and global supply shortages.
Charles Russell Speechlys advises shareholders of eCommonSense on sale to ECI Software Solutions
eCommonSense is a technology solutions provider focused on the construction and building materials supply sectors.
Examining the draft RPDT legislation
Helen Coward considers the important aspects of the draft legislation for the new residential property developer tax.
Charles Russell Speechlys advises Silbury Finance on a £55m facility to a Jersey unit trust
Silbury provides real estate development finance for professional developers seeking to acquire and build in the UK.
Who will carry the risk? Professional indemnity crisis in construction
The UK government announced details of its ban on the use of combustible materials on high rise buildings.
Charles Russell Speechlys acts for Cmostores Group Limited on its acquisition of JTM Plumbing Limited
CMO Group Plc, UK’s largest pureplay online retailer of building materials which recently listed on AIM.
The role of IFCs in the post-Brexit environment
International Financial Centres (“IFCs”), are now on a level playing field with the UK when approaching the EU market.
New Criminal Offences – Pensions Regulator’s Approach
Tom and Esther take a look at the Pensions Regulator's recently published guidance on their new powers
Charles Russell Speechlys advises the founders of Compandben on the sale of the business to TopSource Worldwide
Compandben is one of the longest established international providers of employment solutions.
Construction Update on Building Safety and the Golden Thread
Find out about the construction update on Building Safety and the Golden Thread.
Sophie Lockwood writes for Employment Law Journal on the challenges for employers when managing the return from furlough
With the CJRS ending on 30 September 2021, many employers are turning their minds to managing employees’ return from furlough.
Charles Russell Speechlys Hong Kong successfully defends equal opportunities action brought against Novartis
We have successfully defended NYSE-listed healthcare company Novartis against an equal opportunities action filed by a former employee.
Residential property developer tax: Draft legislation published and technical consultation launched
While a number of important issues have been addressed in the legislation, there is still a lot outstanding.
Strategic Planning for Modern Landed Estates
The second in our series of articles on succession planning for landed estates covering a wide variety of matters.
When can you set off claims against different elements of a project
The Court’s decision raises important drafting considerations for construction contracts involving multiple elements of a project.
Drafting terms and conditions or negotiating a contract? Be wary of "unusual" and "exorbitant" exclusion clauses
When drafting a set of terms and conditions, companies must adhere to the requirements contained in the Unfair Contract Terms Act 1977
Stop, collaborate and listen: Top 10 Tips with Collaboration Agreements
Providing you with the top ten tips on collaboration agreements - what should you know?
Fiona Edmond and Mark Smith write for Property Week on data centres as an infrastructure asset class
The complexity of operational issues is something those new to the sector may not anticipate and interest is likely to increase.
Gareth Mills writes for Lexology Getting The Deal Through on technology disputes in Bahrain
The most common disputes occur following perceived or actual failures to deliver required technology services an lack of clarity.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.