New law: Employers review Data Privacy Notices for employees as GDPR looms
Employers should identify who will need a Data Privacy Notices (DPN), determine what should be in them, and revisit their processes and procedures and staff training, to ensure the right individuals receive a DPN at the right time, in readiness for the General Data Protection Regulation (GDPR).
This update was published in Legal Alert - January 2017
Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.
The GDPR is an EU Regulation that strengthens and unifies data protection for individuals within the EU and regulates the export of personal data outside the EU. Its aim is to give citizens control over their personal data and simplify the regulatory environment for international business. It will replace the UK's current data protection laws. As it is an EU Regulation the GDPR has direct effect – there is no need for enabling UK law. The proposed introduction date is 25 May 2018.
The GDPR requires employers to give job applicants, employees and workers a DPN (sometimes called a fair processing notice) which explains very clearly how their personal data is processed. Further DPNs are required if the processing changes.
DPNs provided under existing data protection rules will usually be too brief to comply with the new GDPR rules. The new rules require that employees, job applicants and workers are told, for example:
- which personal data about them is being processed
- what the employer is going to do with it
- the legal justification for doing so
- whether the data was obtained from a third party (such as a doctor or recruitment agency)
- where it will store the data
- how long the personal data will be kept,
- whether the data will be transferred overseas, and
- the individual's rights in relation to the data
If the DPN is also to be used to obtain consent from the employee to the use of their data, there are different, additional requirements in relation to such consent.
Employers should identify who will need a DPN, determine what should be in them, and revisit their processes and procedures and staff training, to ensure the right individuals receive a DPN at the right time, in light of the upcoming GDPR
Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.