New law: Employers review Data Privacy Notices for employees as GDPR looms

Employers should identify who will need a Data Privacy Notices (DPN), determine what should be in them, and revisit their processes and procedures and staff training, to ensure the right individuals receive a DPN at the right time, in readiness for the General Data Protection Regulation (GDPR).

The GDPR is an EU Regulation that strengthens and unifies data protection for individuals within the EU and regulates the export of personal data outside the EU. Its aim is to give citizens control over their personal data and simplify the regulatory environment for international business. It will replace the UK's current data protection laws. As it is an EU Regulation the GDPR has direct effect – there is no need for enabling UK law. The proposed introduction date is 25 May 2018.

The GDPR requires employers to give job applicants, employees and workers a DPN (sometimes called a fair processing notice) which explains very clearly how their personal data is processed. Further DPNs are required if the processing changes.

DPNs provided under existing data protection rules will usually be too brief to comply with the new GDPR rules. The new rules require that employees, job applicants and workers are told, for example:

  • which personal data about them is being processed
  • what the employer is going to do with it
  • the legal justification for doing so
  • whether the data was obtained from a third party (such as a doctor or recruitment agency)
  • where it will store the data
  • how long the personal data will be kept,
  • whether the data will be transferred overseas, and
  • the individual's rights in relation to the data

If the DPN is also to be used to obtain consent from the employee to the use of their data, there are different, additional requirements in relation to such consent.

Operative date

  • Now

Recommendations

  • Employers should identify who will need a DPN, determine what should be in them, and revisit their processes and procedures and staff training, to ensure the right individuals receive a DPN at the right time, in light of the upcoming GDPR

ã Atom Content Marketing 2017

  • In some instances I have just pop in there at their office and I have been seen in 15 minutes. it's faster than the GP.