As mentioned in our previous GDPR update, the third update in our series will deal with the types of employment related documentation that an employer should now have in place to demonstrate compliance with the GDPR.
Employers must now show how they comply with data protection principles and be clear and open with employees about the data processing and the rights of the employees. The additional employment documentation that employers have in place will play a vital role in demonstrating GDPR compliance generally. Below, we focus on three examples of this: the employment contract data protection clause, the data protection policy and the privacy statement.
For employers, the contract of employment is the first document that should be reviewed. Thereafter, a data protection policy and a privacy statement should be put in place, either combined as one document or two separate documents. While they can be included in the employee handbook, our recommended approach is for these two documents to sit outside the handbook to ensure that they can be updated when and if required to reflect the constant changing organisational needs of a business, otherwise it may require reissuing an updated handbook quite frequently. To ensure that you as an employer can demonstrate compliance with the GDPR and the transparency requirements, we would recommend that upon commencement of employment that you obtain a written acknowledgment from the employee that they have received a copy of the organisation's data protection policy and privacy statement (and also the handbook if contained in it).
1. Contracts of Employment
Most employment contracts contain an express provision confirming the consent of the employee to the processing of personal data. However, under the GDPR, an employer will need to review these template contracts to consider the extent to which consent is still appropriate. In most cases, it will not be. We will consider the thorny issue of consent in more detail in our next update later this week.
For now, our recommended approach is for employers to take a relatively general approach in the contractual clause referring to the detail in the privacy statement and data protection policy, the same way a contract will refer to a disciplinary procedure rather than list its details in the contract.
2. Privacy Statements
A privacy statement is a short document that clearly states the basic information on how an employer gathers, uses, discloses, and manages an employee's personal data. Privacy statements are critical to complying with the transparency obligations in the GDPR so it is vital that they are presented correctly and have the appropriate information included in them. Amongst other things, a privacy statement must state in clear and plain language the following:
- the legal basis for the employer's processing activities, contractual necessity, compliance with a legal obligation or otherwise;
- the period for which data will be retained;
- the new and enhanced rights of employees such as the right of erasure, the right of rectification, the right to restrict processing, the right to object to processing and the right of data portability; and
- details of the DPO must be included as well as details of the employee's right to complain to the relevant supervisory authority.
3. Data Protection Policy
A data protection policy on the other hand is a document that should clearly set out the role of employees relating to the use of personal data by the organisation. It can contain some of the information mentioned above including, the rights of the employees but equally importantly, should contain the obligations which apply to employees who handle personal data, be that within the HR function or more generally in relation to customer or business contact data. The policy should also ideally deal with subject access requests, including an authentication and response procedure for any subject access requests received.
For employers, the contract of employment is the starting point when reviewing employment related documentation for compliance with the GDPR. Our next update will deal with the GDPR and employee consent.
If you are interested in further detail on the HR aspects of the GDPR, you can access a panel discussion on this from the Matheson Employment Law Podcast series.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.