Are you ready for GDPR?
A new General Data Protection Regulation (GDPR) will soon replace the old Data Protection Act (1998). The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Employers must provide information notices
All employers have an obligation under the GDPR to provide employees with an information notice. This can also be called a privacy notice or fair processing notice. The notice must be provided when the employer collects personal data from the employee or uses existing data for a new purpose.
Details to include in the information notice
In the notice the employer should set out what personal data they hold and for what purpose. The notice should include:
- Identity and contact details of the data controller (the employer)
- The data protection officer’s details (if one has been appointed)
- Purpose of data processing and the lawful basis for the processing
- The legitimate interests of the controller or third party, where these justify the data processing
- Any recipient or categories of recipients of the personal data
- Details of transfers to outside EEA and safeguards
- The period how long the data will be stored or criteria used to determine the retention period
- The data subject’s rights to request access to, rectification or erasure of data; to request restriction of processing; or to object to processing
- The right to data portability
- Where the legal basis for processing is consent, the right to withdraw consent at any time
- The right to lodge a complaint with the supervisory authority
- Whether or not the provision of personal data is a statutory or contractual requirement, and the possible consequences of failure to provide the data
- The existence of any automated decision-making and profiling, and the consequences for the data subject.
The notice should be provided when data is obtained.
Data obtained from a third party
If the data was not collected directly from the employee, the notice must also include the source and the categories of personal data to be processed. In this case, the notice should be provided to the data subject within one month of obtaining the data. If the data is used to communicate with the individual, they should receive an information notice at the latest when the first communication takes place. If the personal data is to be disclosed to another recipient, the employee should be notified before the data is shared.
We will be writing further guidance on the topic of GDPR in the coming months. Sign up to our newsletter to stay updated!
You can find out more about the GDPR from ICO.