1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Is your Privacy Notice GDPR compliant?

Following on from our GDPR compliance top-tips and our jargon buster here are ten practical tips to ensure your Privacy Notice is regulation ready.

Employers and businesses who retain personal data (Data Controllers) must provide their employees (Data Subjects) with information about their data processing activities. This means employers need to provide clear information on how they will be handling/collecting and using personal data. Existing Privacy Notices are unlikely to be sufficient to comply with the Regulations which lay out new detailed requirements that Privacy Notices must meet. Broadly speaking, some of those requirements can be summarised as follows (although specific advice requires to be taken):

1.Use clear and straightforward language and a simple style which employees will easily understand;

2.Avoid using confusing terminology or legal jargon which may confuse employees;

3.Clearly set out who the Data Controller(s) are for the purposes of data processing providing contact details (including of a Data Protection Officer if possible);

4.Clearly explain what information the employer will collect from employees, the legal basis for this and the purposes it will be used for, at the time of data collection;

5.Explain any “legitimate interests” the employer seeks to rely upon and give details of any transfers outside the EEA (with details of adequacy safeguards taken);

6.Specifically explain who, if anyone, the information will be shared with and why;

7.Identify any third party sources which will be used to collect personal data about employees, the uses, period it will be retained for, and notify the employees within one month of collection;

8.Notify employees of the period for which their personal data shall be stored or the criteria used to determine that period;

9.Meet different needs; this may mean having separate Privacy Notices for existing employees and for recruitment purposes; and

10.Highlight the specific individual rights that employees have under GDPR and their right to complain to the ICO.

If you need any support preparing privacy notices for GDPR coming into force on 25 May 2018, please get in touch with a member of the team.

Is your Privacy Notice GDPR compliant?

Three months to go until GDPR comes into force: are you ready?

Has getting to grips with GDPR been lingering on your to-do list for the past year? With only three months to go until GDPR comes into force on 25 May, now is the time to push it to the top of your list.

Don’t panic if you have not yet started to prepare. Here are our top tips for getting your organisation ready:

  • Start with an audit of what data you hold and what you do with it. You can then consider what legal basis you have for processing the data. With the advent of GDPR, you should be moving away from the use of consent, which individuals are entitled to withdraw, to one of the other permitted bases for processing data. In the employment context, most data processing will be permitted as being required for performance of the employment contract or complying with a legal obligation. There is also a basis for processing where an organisation has “legitimate interests” to do so.
  • A new privacy notice will be needed to comply with GDPR. Consider having separate privacy notices for existing employees and for recruitment purposes. GDPR requires privacy notices to be concise, easily accessible and easy to understand. There is a significant list of mandatory information which needs to be included in a compliant notice.
  • If, like most employers, you have a data protection consent clause in your template employment contract, this should be removed from any new contracts being issued. You don’t need to issue fresh contracts to existing employees but you should let them know that you are no longer relying on consent and refer them to your new privacy notice.
  • Put in place a procedure for dealing with subject access requests – GDPR requires requests to be dealt with faster (within a month in all but exceptional cases) and without charging a £10 fee (except where a request is “manifestly unfounded or excessive”, in which case you can charge a “reasonable” fee). You should also have a procedure in place for dealing with any data breach and the new requirement to notify the Information Commissioner’s Office of such a breach.
  • Start training employees so that everyone is aware of their responsibilities.

Whilst GDPR brings with it the threats of significantly increased penalties for non-compliance, starting preparations now (if you have not already done so) will stand your organisation in good stead for the new regime. If you need support in tackling your preparations, please get in touch with a member of the team.

Three months to go until GDPR comes into force: are you ready?

Surveillance of employees in the workplace and the Article 8 right to privacy

Advances in technology have made monitoring employees easier than ever before. With the increased use of email, smartphones, laptops, trackers and SmartWare, almost every mode of communication has gone digital. As such, it is now possible to monitor your employees’ every movement and communication, to find out not just where they are but also how productive they are being.

However, many employees try to argue that this monitoring is an intrusion on their right to a private life (under Article 8 of the Human Rights Act) and is therefore unlawful.

This important issue has been the focus of two recent decisions by the European Court of Human Rights (ECHR). In each case, the judges considered the limits on what is and isn’t permissible when it comes to the surveillance of employees.

Read more here.

Surveillance of employees in the workplace and the Article 8 right to privacy

UK Employment Law Round-up – February 2018

In this issue we look at some of the key employment law developments that have been taking place over the past month. In particular, we take a look at the outcome of Matthew Taylor’s review of modern employment practices and the Fawcett Society’s report on potential gaps in current sex discrimination legislation in the UK. The second of these is particularly significant in light of the growing movement to raise awareness of sexual harassment in the workplace. We also give you our top tips for getting your organisation ready for the implementation of the GDPR, which is now only three months away(!), and the first hike in the “minimum” requirements for auto-enrolment compliance.


UK Employment Law Round-up – February 2018

GDPR: is the jargon holding up your preparation?

With the implementation of the General Data Protection Regulation (GDPR) a mere 3 months away, it may (or may not) surprise you to learn that 60% of organisations were reported as being not “GDPR ready” at the start of this month. The same report, by software technology firm Senzing, also found that almost 40% of UK-based directors were unsure as to whether they would be GDPR compliant come 25 May.

This is not the first study to reveal a lack of preparation for the GDPR. In January the department for Digital, Culture, Media and Sport urged business and charities to ensure they were compliant by 25 May after it was revealed that up to 50% were unaware of their new obligations.

With these statistics in mind, this is the first in a short series of jargon-busting blog posts to help tackle some of the confusion surrounding the introduction of GDPR. In this post we look at some commonly used terms in the GDPR which deal with the different types of data and those that will be handling the data:

Personal Data – the GDPR has a broader definition of what constitutes personal data than the Data Protection Act 1998, by incorporating reference to personal identifiers such as name, identification numbers, IP address and location. Generally, it means any information or data which relates to a living individual who can be directly or indirectly identified by it.

Sensitive Personal Data –the GDPR has a broader definition of this term than is the case under the Data Protection Act, as it incorporates biometric and genetic data.  It is also worth bearing in mind that under the GDPR it is no longer called sensitive personal data but is instead referred to as “special categories of personal data”. Personal Data consisting of political opinions, religious or philosophical beliefs, racial or ethnic origin, or trade union membership, genetic data, biometric data, data regarding health or data concerning a natural person’s sex life or sexual orientation will all be classed as “special category” data under the GDPR.

Data Subject – the person to which Personal Data  relates. For example, an employee.

Data Controller – a “person” who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. This will typically be the business entity employing staff and determining the use of their Personal Data.

Data Processor – unlike the Data Protection Act, the GDPR introduces specific responsibilities directly on Data Processors. These are third parties that process data on behalf of the Data Controller, for example, IT service providers and payroll companies. There are also additional requirement introduced under GDPR in relation to what must be contained in contracts with Data Processors.

Keep an eye on our blog for our next GDPR jargon-buster!

GDPR: is the jargon holding up your preparation?