Are you ready for GDPR?

A new General Data Protection Regulation (GDPR) will soon replace the old Data Protection Act (1998). The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

Employers must provide information notices

All employers have an obligation under the GDPR to provide employees with an information notice. This can also be called a privacy notice or fair processing notice. The notice must be provided when the employer collects personal data from the employee or uses existing data for a new purpose.

Details to include in the information notice

In the notice the employer should set out what personal data they hold and for what purpose. The notice should include:

  1. Identity and contact details of the data controller (the employer)
  1. The data protection officer’s details (if one has been appointed)
  1. Purpose of data processing and the lawful basis for the processing
  1. The legitimate interests of the controller or third party, where these justify the data processing
  1. Any recipient or categories of recipients of the personal data
  1. Details of transfers to outside EEA and safeguards
  1. The period how long the data will be stored or criteria used to determine the retention period
  1. The data subject’s rights to request access to, rectification or erasure of data; to request restriction of processing; or to object to processing
  1. The right to data portability
  1. Where the legal basis for processing is consent, the right to withdraw consent at any time
  1. The right to lodge a complaint with the supervisory authority
  1. Whether or not the provision of personal data is a statutory or contractual requirement, and the possible consequences of failure to provide the data
  1. The existence of any automated decision-making and profiling, and the consequences for the data subject.

The notice should be provided when data is obtained.

Data obtained from a third party

If the data was not collected directly from the employee, the notice must also include the source and the categories of personal data to be processed. In this case, the notice should be provided to the data subject within one month of obtaining the data. If the data is used to communicate with the individual, they should receive an information notice at the latest when the first communication takes place. If the personal data is to be disclosed to another recipient, the employee should be notified before the data is shared.

We will be writing further guidance on the topic of GDPR in the coming months. Sign up to our newsletter to stay updated!

You can find out more about the GDPR from ICO.

List articles by category

About Engage

Absence management

Case studies

Holidays

Software as a Service

Tips

Shortlist articles by topic

attendance policy best practice CIPD cost of absence covid-19 early intervention employment law engage fit note flexible working happy workplaces health healthy attendance holiday management how to HR hr software improve productivity innovation Line managers long term absence mental health mythbusting new features news occupational health preventing absence productivity pulling sickies reducing absence return to work SaaS short term absence sick pay SMEs software solutions statistics surveys and research targets technology the Usual suspects triggers UK government wellbeing