All employers, whatever their size, should have certain critical documents in place now the GDPR and the Data Protection Act 2018 are in force. With significant fines for non-compliance and an increased emphasis on demonstrating compliance, getting the basic documentation correct is essential. These include separate privacy notices for internal staff, applicants and external third parties, a data protection policy and a record of processing.
The main areas and documents to consider include:
- Employment contracts - amendments are likely to be required to data protection clauses and to other clauses where consent is being relied upon for data processing.
- Privacy notices – employers need three different privacy notices (for internal staff, applicants and external third parties) giving data subjects prescribed information about the data being processed, the purposes of processing, the legal basis for processing, recipients and sources of the data, overseas transfers, automated decision making, data retention periods and data subject rights.
- Data protection policy – employers should update their existing policy to ensure it sets out how the employer complies with the GDPR and the Data Protection Act 2018 and how employees must behave in relation to personal data.
- Other key policies – employers would be well advised to have separate policies on information security, breach management and notification and data retention and existing policies relating to these areas will need to be updated.
- Record of processing activities – employers need to keep a record of their processing of personal data including prescribed informationincluding the purposes of processing, categories of data subject, categories of data, recipients, overseas transfers, time limits for erasure and security measures.
- Data protection impact assessments – employers will need to carry out such an assessment when planning any processing which creates a high risk, in particular, processing using new technologies.
- Data sharing agreements – employers must put in place agreements with any organisation that processes data on its behalf or any organisation which jointly controls data.
- For employers who wish to transfer personal data overseas, consideration should be given to the method to achieve this on a lawful basis. This could be by means of model clauses (standard contractual clauses authorised by the European Commission) or binding corporate rules (a set of legally enforceable corporate rules that have been approved by the ICO for intragroup transfers).
Of course, the basic documents by themselves will not be sufficient to guarantee compliance with the GDPR. For example, employers will need to train employees to seek to ensure that they comply with the data protection policies. Employers will also need to comply with the information provided in their notices and policies, such as by processing data on an appropriate legal basis, retaining data only where necessary, implementing the findings of data protection impact assessments and notifying the ICO and data subject of certain breaches.
We can assist with drafting and advising on the above documentation if required.