Expert Insights

Expert Insights

Top 7 Data Protection Tips for Employers

An overview of the top 7 considerations for employer’s to comply with the retained General Data Protection Regulation ((EU) 2016/679) (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

1. Are your employment contracts compliant?

  • Pre-GDPR, many employment contracts referred to employees consenting to their data being processed. This is no longer appropriate and contracts that refer to consent should be updated.
  • Employment contracts should contain sufficiently robust data protection and confidentiality obligations, ideally tied to an enforceable data protection handbook or policy (see question 2).
  • Employment contracts should contain accurate and up to date references to applicable data protection law post-Brexit.

2. Do you have employee and job applicant privacy notices?

  • Organisations are required to have privacy notices that set out how the organisation will obtain, handle, process or store employee personal data.
  • Employees and job applicants should be made aware of their rights under data protection law via these privacy notices.
  • In addition, you will need to prepare and maintain an “appropriate policy document” in relation to your processing of special categories of personal data and criminal convictions or offence information.

3. Do you have a data protection handbook (or instructions manual) for employees to follow?

  • Your employees’ obligations (both general and role specific) and your expectations of them in relation to data protection should be clearly set out, ideally in a data protection handbook.
  • A data protection handbook will assist you to comply with the accountability obligations under the UK GDPR.

4. Who has overall responsibility for data protection compliance (and do you need a data protection officer (DPO))?

  • As an employer, you will need a DPO if you are an organisation that either: (a) is a public authority; (b) carries out large scale systematic monitoring of individuals; or (c) carries out large scale processing of special categories of data or data relating to criminal convictions.
  • Even if your organisation does not fall into any of the three categories above, you can still appoint a DPO. Alternatively, you can appoint an individual who will be responsible for compliance with regulatory requirements.
  • A DPO will be responsible for monitoring and advising on compliance with the UK GDPR.  The DPO will also be the first port of call for supervisory authorities and will have to comply with obligations as defined in UK GDPR Article 37-39.

5. Do you train and audit your staff?

  • Employees that have regular or permanent access to personal data or are involved in the development of tools or software used to process personal data should be given appropriate training.

6. Are you undertaking any high risk processing that may require a Data Protection Impact Assessment (DPIA)?

  • Employers should undertake a DPIA to identify and minimise non-compliance risks.
  • You must undertake a DPIA “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the rights and freedoms of individuals”.
  • A DPIA should include a description of the envisaged processing operations and the purposes of processing, an assessment of the need for and proportionality of processing the information and the risks to data subjects and measures to mitigate those risks to comply with the UK GDPR.

7. What happens if you do not comply with the UK GDPR and the DPA 2018?

  • Under the UK GDPR, you can receive a fine of up to 4% of global annual turnover, or £17,500,000, whichever is higher, for breaches of: (a) processing, including consent conditions; (b) data subjects’ rights, and; (c) international transfers.
  • For other breaches, you can receive a fine of up to 2% of global turnover, or £8,700,000, whichever is higher, for infringements such as the failure to main written records and the failure to report breaches where required. 

This article was written by MarcUs-Ong.

Our thinking

Share this Page