In the digital age, data protection and employee privacy have become critical issues for employers. The General Data Protection Regulation (GDPR), which came into effect in May 2018, sets out how employers must handle employee data. Failure to comply can result in severe penalties and potential damage to a company’s reputation. This blog provides an overview of the key aspects employers need to consider to ensure compliance and protect their employees’ privacy.
Understanding GDPR and Its Implications
GDPR applies to all organisations processing personal data. For employers, this means any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier such as a name, an identification number, location data, or an online identifier. The types of personal data an employer will process in the employment context includes data relating to:
-
Recruitment and selection e.g. applications, verification, shortlisting, interviews, pre-employment vetting and retention of recruitment records.
-
Employment records including records concerning contact details, emergency contact details, bank details, salary, benefits, pension, sickness and injury, references along with disciplinary, grievance and dismissal.
-
Monitoring at work e.g. CCTV footage, opening workers’ emails, monitoring phone calls, using automated checking software to collect information about workers and vehicle monitoring.
-
Workers’ health e.g. questionnaire completed by workers to detect health problems, information about a worker’s disabilities or special needs, results of an eye test by a worker using display screens, results of a test to check a worker’s exposure to drugs or alcohol and assessments of fitness to work.
Key Principles of GDPR:
-
Lawfulness, Fairness, and Transparency: Employers must process personal data lawfully, fairly, and in a transparent manner.
-
Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
-
Data Minimisation: Only the data necessary for the purposes for which it is processed should be collected.
-
Accuracy: Employers must ensure that personal data is accurate and, where necessary, kept up to date.
-
Storage Limitation: Data should be kept in a form which permits identification of data subjects for no longer than is necessary.
-
Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
-
Accountability: Employer must be able to demonstrate compliance with the above principles.
Key points
-
Data Protection Policy: Every employer should have a comprehensive data protection policy that outlines how personal data is collected, processed and stored. This policy should be communicated to all employees to ensure transparency and compliance. The policy is usually included in a staff handbook with other policies.
-
Data Subject Rights: Employees, as data subjects, have several rights under GDPR, including the right to access their data, the right to rectification, the right to erasure (the right to be forgotten), and the right to restrict processing. Employers must have procedures in place to handle requests to exercise these rights, including data subject access requests.
-
Data Breaches: In the event of a data breach, employers are required to report it to the Information Commissioner’s Office (ICO) within 72 hours if it is likely to result in a risk to the rights and freedoms of individuals. Employers should have a data breach response plan in place to act swiftly in such situations and ensure that staff know what to do in the event of a breach.
-
Data Protection Impact Assessments (DPIAs): When introducing new technologies or processes that are likely to result in high risks to the privacy of employees, employers must conduct a DPIA to assess and mitigate those risks.
To protect employee privacy, employers should consider some of the following best practices:
-
-
Limit Access to Data: Ensure that access to personal data is restricted to those who need it to perform their job duties. Implement role-based access controls to enforce this.
-
-
Anonymisation and Pseudonymisation: Where possible, anonymise or pseudonymise employee data to reduce the risk of identification in case of a data breach.
-
Regular Training: Provide regular training to employees on data protection principles and practices. This helps create a culture of privacy within the organisation.
-
Secure Storage and Transfer: Use encryption and other security measures to protect data during storage and transfer. Ensure that data stored on portable devices is encrypted and protected with strong passwords.
-
Regular Audits: Conduct regular audits of data processing activities to ensure compliance with GDPR and identify any areas for improvement.
Data protection and employee privacy are ongoing responsibilities that require regular review and improvement. By understanding the legal framework and implementing best practices, employers can protect their employees’ personal data, comply with GDPR, and build a trustworthy workplace environment. Regularly reviewing internal policies and procedures will help ensure that your organisation remains compliant and respectful of employee privacy.
For specific advice, please contact our data protection specialists at Farleys on 0845 287 0939 or get in touch by email through our online contact form.