Data protection and privacy laws touch on almost every aspect of HR.
Employers must strike a fine balance in complying with the UK GDPR, Data Protection Act 2018, and other privacy regulations whilst at the same time conducting disciplinary investigations and procedures and undertaking other employee-related decisions.
To help you, as an employer, gain a brief understanding of your data protection and privacy responsibilities in terms of HR, our Employment Law Solicitors have answered some common questions below.
What is data protection?
Data protection provides data subjects (people who have allowed you to hold and process their data) certain rights, including the right to:
- access their personal data
- be notified of a data breach which may result in their personal data being compromised
- to not have their data shared with third parties without their consent
- have confidence that their sensitive personal data, such as confidential information regarding their health, is not processed unless certain regulatory conditions are met
The fines and reputational damage that can result from a data protection breach are substantial, therefore, it is imperative to take compliance seriously.
What are the main points an employer should be aware of when processing employees’ personal data?
Employers who run an SME should consider the following data protection and privacy law rules and responsibilities when processing employee data and drafting their employment contracts:
- consent – you need to be able to demonstrate that your employees have been informed of how their personal data will be used and for what purposes.
- lawful processing – keep records to show that any processing of personal data is for one of the six lawful reasons for processing under the UK GDPR. Complying with the terms of an employment contract is one of the lawful reasons for processing data.
- have a comprehensive internet, email, and social media policy that is understood and accessible to all employees.
- keep detailed records that prove your accountability to data protection and privacy compliance. This includes staff training, considering whether to appoint a Data Protection Officer, identifying and eliminating risks to employee privacy, and only collect personal data that is adequate, relevant, and necessary.
HR data protection and privacy compliance is an ongoing process, and your systems and records should be regularly monitored to ensure if a data breach or subject access request occurs you can act quickly to comply with your duties under the UK GDPR and the Data Protection Act 2018.
If you require legal advice regarding data protection and privacy law, please do not hesitate to contact us.
Get legal assistance from LawBite
If you don’t comply with GDPR, you can be fined by the regulator (the ICO - Information Commissioner’s Office) – up to 4% of your turnover. Or, even more worryingly, the ICO can issue a ‘Stop Now’ order, which prevents you from collecting or using personal data at all, either permanently or until you have complied with their requirements.
Our GDPR lawyers will work with you speedily and affordably to understand what your business needs and agree on a pathway to compliance.
Additional useful information