We can help you become GDPR compliant with your employees' personal data  

The General Data Protection Regulation (GDPR) comes into effect on Friday 25th May 2018. There has been a massive amount of publicity around this subject with most of it relating to the processing of personal data held about customers or potential customers. But GDPR has a significant impact on businesses that employ people, and that includes workers and consultants who work for the business. 
 
When we have conversations about GDPR with organisations and businesses, we talk about the personal data they hold on their own people. We often see the penny drop. GDPR isn't just about mailing lists and customer personal data. GDPR puts data security and privacy of employee’s personal data at the forefront of an employer’s consideration. It creates significant rights for employees in relation to their personal data and substantial penalties for an employer who breaks the law. 
 
It's about knowing what personal data you hold about employees, knowing why you keep it, where you keep it, what you do with it, and providing information to employees about that data. 
 
A great deal of what a business does in relation to its employees involves the processing of personal data: background checks, contracts of employment, disciplinary proceedings, grievance proceedings, annual reviews, payroll, benefits, training, sickness procedures and health records, monitoring performance, CCTV images of employees, clocking in and out, security checks, files notes, minutes of meetings, emails referring to employees (even indirectly) all of these will involve the processing of personal data. GDPR applies! 
 
As a business, you need to make sure that you comply with GDPR. A sound, effective policy and training are the best ways to achieve this. 
 
We believe in keeping it simple when it comes to policies. That's why we provide organisations with an easy option to becoming GDPR compliant with their obligations for employees’ personal data. You can find more information about GDPR and Employee Data in our guide below.  
We can help you in the following ways: 
 
You can attend one of our GDPR workshops in Birmingham (see the link on this page) 
Price: £195 + VAT and includes a GDPR Policy for Employees 
 
We can provide a GDPR Policy for Employees tailored to your needs with advice from one of our employment solicitors 
Price: £250 + VAT 
 
If you feel you have sufficient GDPR knowledge to apply the policy to your organisation, we can provide you with a Word version of the policy, without advice.  
Price; £150 + VAT 
I attended a course by Spencer Shaw Solicitors regarding GDPR for employers in reference to employee data. The course was extremely informative and well presented. As part of the course we received a take home policy customised to our business that literally saved me days of office time.  
There were biscuits too.  
Highly recommend! 
 

Guidance on the General Data Protection Regulation (GDPR) for Employers 

This information is provided by Spencer Shaw Solicitors Limited to assist employers to implement an effective Data Protection Policy for Employees, Workers and Consultants 
 
(Please note: This information constitutes training and not legal advice) 
The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. It replaces the Data Protection Act 1998, which is struggling to keep up with the pace of technology. The GDPR will provide a common set of rules that can keep in step with the modern world. It will provide better protection to individuals (referred to as data subjects in the regulation). 
 
To be compliant with GDPR, you will need to act. While the regulation itself is complex, the actions you take are relatively straightforward with a bit of research. There are plenty of tools and guides available from the UK Government's Information Commissioner's Office (ICO) and specialist GDPR trainers and consultants. This document will give you an overview of the GDPR and what needs to be done in respect of employee, worker and consultant personal data gathered by your business. 

GDPR – What are the key principles? 

Firstly, GDPR will survive Brexit. The UK government aims to implement the regulation in its entirety. It will become part of our legal system on 25th May 2018. The key principles of GDPR are:- 
 
personal data must be processed lawfully, fairly and transparently; 
personal data must be collected for specified legitimate purposes and processed only for those purposes; 
personal data must be limited to what is needed for the purpose for which it is processed; 
personal data must be accurate and up to date; 
personal data must not be kept for longer than is necessary for its purpose; 
it should be processed securely and confidentially to ensure it is not lost, stolen/hacked, damaged or destroyed. 
 
Personal data is defined as information or data relating to a living person who can be identified from that data. Examples of employee personal data are names, addresses, contact details, employment details, financial information, disciplinary warnings, appraisals or health records. It even includes opinions about a person's performance in an email by a manager. 

Six lawful bases to process data 

There are six potential lawful bases for processing the personal data of your employees. You must be able to demonstrate at least one of these is applicable to the personal data you process or control. These are:- 
 
with the consent of the data subject e.g. your employee. 
the personal data is necessary for the performance of a contract with them e.g. an employment contract. 
you require the personal data to enable you to comply with a legal obligation e.g. provide information to HMRC. 
the personal data is necessary to protect the vital interests of your employee or someone else. This is thought to apply if the person's life or health were at risk e.g. being aware of health issues. 
it is necessary in the public interest. 
it is necessary for the purposes of a legitimate interest of you, as an employer or a third party. The interests and fundamental rights and freedoms of your employee can override this basis. 
 
As part of your preparation for GDPR, you will need to audit the information you hold on your employees and specify which of these bases apply to the data and why. 

A few words on consent 

GDPR says that consent must be:- 
 
freely given; 
specific; 
informed; and 
unambiguous. 
 
It should also be distinguishable. This means that it should be separate from other things such as employment contracts and policies. You will see later on that it can also be withdrawn. So, for most personal data, you may wish to consider the other five bases for processing personal data rather than relying on consent. 

'Special category' data (formerly sensitive personal data) 

You are only permitted to process special category data in specific situations in addition to the rules for processing personal data because it is more sensitive and needs more protection. Examples of special category data are:- 
 
race; 
ethnic origin; 
politics; 
religion; 
trade union membership; 
genetics; 
biometrics (where used for ID purposes); 
health; 
sex life; or 
sexual orientation. 
 
You will only be able to process special category data if:- 
 
your employee gives their explicit consent; 
needed to carry out rights and obligations under employment law, e.g. to ensure the health and safety of workers or for complying with discrimination laws; 
the employee has already made the data public, e.g. on social media 
to establish, exercise or defend a legal claim; 
to protect the vital interests of the employee or someone else, where the employee is incapable of giving consent. This lawful basis is very limited in its scope, and generally only applies to matters of life and death; 
for the assessment of a person's working capacity. 

Information to be given to your employees 

The information you need to give is a lot more than you do at the moment. It should be concise, transparent, easily accessible and in plain language. Our suggestion is that you provide most of the information in a data protection policy in your employee handbook. 
 
You must tell your employee:- 
 
the identity of the data controller (employer) and any data protection officer; 
the purpose of the processing and the legal basis for it; 
the source and category of the data if it hasn’t come from the data subject; 
who will receive the data (department or roll); 
how long you intend to keep the data, e.g. for three years after their employment ends; 
their rights under the regulation (see the section on rights below); 
if the data is to be transferred out of the EU, the legal basis for it and safeguards in place; and 
whether you use any automated decision making or profiling. 
 
You must provide this information at the time you gather the personal data from them or within a reasonable time if it is obtained from another source. The ICO suggest within one month of processing. You will need to keep a record of this. We suggest getting your employees to sign that they have received a copy of your policy (assuming you have one!). 

The rights of your employees 

Below are the rights of your employees regarding personal data you hold about them. As mentioned above, you must inform your employees of these rights and document the fact that you have. 
 
They have the right to:- 
 
the information in the section above; 
access their personal data; 
correct personal data; 
erase personal data (the right to be forgotten); 
restrict processing of data; 
object to data processing; 
receive a copy of their personal data; 
transfer personal data to another data controller; and 
not to be subject to automated decision making. 
 
If your employee requests a copy of their personal data you must comply without undue delay and no later than one month from the initial request. There is an extension possible in certain circumstances, of up to two months for complex or onerous requests. You are no longer able to apply a £10 fee, though reasonable charges can be made for a manifestly unfounded or excessive request. 
 
If you refuse to comply with a request, you must notify your employee of their right to complain to the ICO. You don’t need to provide legally privileged information. If you are unable to prove a legitimate interest for retaining the data, you must make sure that you can easily erase the data. Your employee can restrict processing, for example, where the employee contests data accuracy. 

Risks to note 

GDPR has some teeth and you should be mindful of the following:- 
 
Imposes significant fines for breaches – up to £17M (20 million Euros) or 4% annual global turnover. 
Carries criminal sanctions for breaches. 
Allows individuals to make claims for compensation for breaches, including financial loss and for distress caused, against Data Processors and Data Controllers. 
Must notify the ICO of a breach within 72 hours of becoming aware of it, even if you do not have all the details yet. 

10 Steps to reach GDPR compliance with employee personal data 

If this is your first venture into the world of GDPR you may be feeling a little overwhelmed about the work involved to be compliant. You may also be wondering where to start. The following steps will help you with compliance for your organisation’s employee personal data which is a big step forward. Much of the knowledge you gain in this arena can be applied across your organisation. If you’ve already looked at GDPR or attended one of our workshops, this section will help remind you of what needs to happen. 

Step 1 - Get buy-in from top management and raise awareness 

Regardless of the size of your organisation, getting ready for GDPR is easier if everyone is helping. You may need to spend money on consultants, commit your own time to this task or both. Having a plan will certainly be a good start. 

Step 2 - Find your data 

Doing an audit of the data you hold on your employees is going to make your task a lot easier. Think beyond electronic data and dig out all those paper records sitting in the back of the filing cabinets or stored in deep storage offsite. Consider what's on emails that have been left undeleted. 
 
We recommend using The National Archives Information Asset Register Template (click here). We’ve added an additional column to record the lawful bases we are relying on for processing the data. The download version is the standard format.  
 
You’ll find that once you start filling in this spreadsheet, it will all start to make more sense and you will feel as if you are getting somewhere. 

Step 3 - Analyse why you keep each type of personal data 

Once you have found your data you can start to think about why you need to have it. Does the data actually have a use or do you gather it just because you always have? Do you have a system of auditing the data regularly to see if you still need to keep it? 

Step 4 – Decide which lawful bases you are going to rely on to retain and use the personal data 

Consent is likely to be the least used reason. Think of the other five reasons of lawful bases to process personal data and apply the ones that you believe are the right fit. Also give thought to the key principles of GDPR at the start of this article. You need to be able to justify why you have the data and show that you keep it secure. 

Step 5 – Review and update you contracts of employment and policies 

If you have attended our GDPR workshop for employers you will have a handbook policy which covers many of the requirements of GDPR, such as providing your employees with their rights, informing them why you process personal data about them and their responsibilities to keep personal data safe and confidential. 
 
If you don’t have a suitable policy, please get in touch with us. We can take the pain out of this process for you. 

Step 6 – Check and revise your internal processes 

GDPR creates new responsibilities which you will need to have processes for. Using the checklists on the ICO website will identify a number of these. Examples would be having processes to enable employees to apply their new rights or reporting data breaches to the ICO within the 72 hours’ time limit. 

Step 7 - Check and revise your external processes 

You may currently share personal data with other organisations such as your payroll provider. You should ensure that any contract with these organisations requires them to comply with the obligations of GDPR and how they must deal with any breaches. 

Step 8 – Identify who will be responsible for data protection compliance in your organisation 

Depending on the size of your organisation and the type of processing you undertake, you may wish to appoint a Data Protection Officer if you don’t have one already. Alternatively, you could allocate responsibility to a Data Protection Manager who takes the lead in your business data matters. 
 
Whatever you do, make sure someone has the lead. 

Step 9 – Training 

Provide training for everyone taking the lead in GDPR for your business and give them the resources to do the task well. Also provide training to the rest of the organisation because data security probably rests in their hands. Most data mishaps seem to occur due to human error. 

Step 10 – Stay compliant 

After all your hard work making sure that you are compliant, you don’t want to slip back into old ways. Set reminders to audit data collected and review whether it is still required. Provide ongoing training to ensure the message sticks. 

And finally 

We hope that this information has given you a better idea of what you should do by 25th May 2018. We have focussed on employee personal data because we are employment law specialists, but the principles apply to all types of personal data such as mailing lists, emails to prospects and customer data bases. 
 
You will see it start to come together as soon as you begin Step 2 above. You may drift down a few blind alleys and need to back track at times but keep going. As your knowledge grows, you will become your company's very own GDPR expert! 
 
And please give us a call if you need any help. 
 
Good luck. 

Useful GDPR Links 

Designed and created by it'seeze
Our site uses cookies. For more information, see our cookie policy. ACCEPT COOKIES MANAGE SETTINGS