General Data Protection Regulation
The General Data Protection Regulation (GDPR) is now in force in the UK (from 25 May 2018). The aim of the GDPR is to establish a modern and harmonised data protection framework across the EU. The new framework imposes strict duties on employers in relation to the processing of personal data, with potentially very large fines for a breach of the rules (up to €20 million, or 4% of the organisation's total worldwide annual turnover if higher). The Data Protection Act 2018 received Royal Assent on 23 May 2018 and supplements the GDPR in the UK in certain areas.
Our range of resources can help you with your compliance work. We have model documents (such as an Employee privacy notice and Job applicant privacy notice), and practical guidance (see for example How to determine the legal grounds for processing employee data under the GDPR).
Look at ...
... our Employment law manual, which explains the law on data protection under the GDPR. The guidance describes the rules under the new framework, including those relating to the legal grounds for processing personal data, provision of privacy notices, dealing with special categories of personal data and data subject rights.
Below we list our new GDPR-compliant model policies and documents as well as our other GDPR resources.
Policies and documents (compliant with the GDPR)
- Data protection policy
- Register of HR-related personal data
- Employee privacy notice
- Job applicant privacy notice
- Form for making a subject access request
- Letter responding to subject access request providing requested information
- Letter responding to data subject access request asking for more information
- Letter extending time to respond to a subject access request
- Letter refusing subject access request or asking for an administrative fee
- Register of subject access requests
- GDPR: Which policies and documents have been updated?
Other GDPR resources
- What is the GDPR?
- When does the GDPR take effect?
- Does the GDPR affect small employers?
- What information must employers supply to employees about the processing of their personal data under the GDPR?
- Which employers are required to appoint a Data Protection Officer under the GDPR?
- Do employers need to amend employees' contracts to comply with the GDPR?
- What effect will Brexit have on the application of the GDPR to the UK?
- What happens if an employer fails to comply with the GDPR?
- Webinar: Get ready for the GDPR - guidance for employers
- Podcast: Introduction to the GDPR
- Podcast: Primer on the GDPR
- Podcast: How XpertHR can help you be GDPR ready
- Employment law manual: Data protection
The legal grounds for processing data
- Are there changes to the rules on obtaining consent to process personal data under the GDPR?
- When can employers rely on employees' consent to process their data under the GDPR?
- Other than consent, what legal grounds are there for processing personal data under the GDPR?
- How to start preparing for the GDPR
- How to develop and implement a GDPR compliance programme
- How to conduct an audit of HR personal data for the GDPR
- Webinar: Processing without consent - taking a deeper dive into the GDPR
- What is personal data under the GDPR?
- Can employers carry out criminal records checks under the GDPR?
- Can employers gather and analyse information for equality monitoring purposes under the GDPR?
- Should employers ask job applicants for consent to process their data under the GDPR?
- What are an employer's obligations under the GDPR in relation to emails containing personal data?
- How does the GDPR affect the processing and retention of recruitment data by employers?
- What restrictions does the GDPR place on employers transferring employee data outside the European Economic Area?
- How to determine the legal grounds for processing employee data under the GDPR
- What are an employer's obligations under the GDPR if it contracts with a third-party provider to process its employee data?
- Can an employer share HR-related data with an external supplier of HR services without the consent of the employees?
Data retention and erasure
- Does the GDPR affect for how long employers can keep data relating to former employees?
- What is the right to be forgotten under the GDPR?
- How can employers balance employees' right to be forgotten under the GDPR with the need to keep HR records?
- How to manage the retention of employee data under the GDPR
- Webinar: Data retention under the GDPR - your questions answered
Subject access requests
- What data subject access rights do employees have under the GDPR?
- How to respond to subject access requests from employees under the GDPR
Special categories of personal data
- What are an employer's obligations under the GDPR in relation to the processing of sensitive personal data?
- How to obtain and use medical reports on employees