Data protection law (GDPR) and employers

GDPR compliance for employers from Lawrite

All UK employers need to make sure their data protection policy and other information they give to their employees about data protection, complies with the requirements of the General Data Protection Regulation (GDPR).

Data protection policies and privacy notices

The Lawrite Documents package for employers and the Lawrite Employer Support Service both include GDPR-compliant templates for data protection policies and privacy notices which employers can use.

See subscriptions available for the Lawrite Documents package here.

See subscriptions available for the Lawrite Employer Support Service here.

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016, with an enforcement date of 25 May 2018.

The GDPR reinforces data protection law in the EU which was originally introduced with the Data Protection Directive in 1995, which resulted in the Data Protection Act 1998 in the UK.

Under GDPR, organizations in breach of GDPR can be fined up to 4 per cent of their annual global turnover or 20 Million euros (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements.

The conditions for consent have been strengthened, and the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. 

Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. 

The GDPR introduces the right to be forgotten which entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent.

For employers, the GDPR builds on the established data protection principles and introduces some important changes in the way they should communicate data protection information to their staff, and significantly, employers will no longer be able to rely on consent as a lawful reason for processing personal data and instead will be able to rely on one of the other lawful reasons for data processing under the GDPR.

Employers should have a clear privacy notice which communicates to employees and job applicants information about the personal data they collect and process and why, how it is kept, and sets out the individual’s rights and obligations under the GDPR.

The Lawrite Documents package for employers and the Lawrite Employer Support Service both include GDPR-compliant templates for data protection policies and privacy notices which employers can use.