General Data Protection Regulation
The General Data Protection Regulation (GDPR) is due to come into force in the UK on Friday 25 May 2018. If an organisation is found to be in breach of the GDPR after this date, it could face a fine of up to 4% of its annual turnover, or €20m (£17.8m), whichever is greater.
Organisations need to review their data processes to ensure that they comply with the requirements of the GDPR. Whether you are unsure about where to start with your GDPR preparation, or are further down the line with your compliance efforts, our latest podcast can help. It highlights new and updated resources on XpertHR, such as How to start preparing for the GDPR, which covers the basics, and our model Employee privacy notice, to help you comply with your notification obligations.
Listen to ...
... our on-demand webinar on data retention under the GDPR. In this webinar, Jo Broadbent and Stefan Martin from global law firm Hogan Lovells discuss strategies to help employers put in place data retention policies and procedures that comply with the GDPR.
Below we list our new GDPR-compliant model policies and documents as well as our other GDPR resources.
Policies and documents (compliant with the GDPR)
- Data protection policy
- Register of HR-related personal data
- Employee privacy notice
- Job applicant privacy notice
- Form for making a subject access request
- Letter responding to subject access request providing requested information
- Letter responding to data subject access request asking for more information
- Letter extending time to respond to a subject access request
- Letter refusing subject access request or asking for an administrative fee
- Register of subject access requests
- GDPR: Which policies and documents have been updated?
Other GDPR resources
- What is the GDPR?
- When will the GDPR take effect?
- Will the GDPR affect small employers?
- What information must employers supply to employees about the processing of their personal data under the GDPR?
- Which employers are required to appoint a Data Protection Officer under the GDPR?
- Do employers need to amend employees' contracts to comply with the GDPR?
- What effect will Brexit have on the application of the GDPR to the UK?
- What happens if an employer fails to comply with the GDPR when it comes into effect?
- Webinar: Get ready for the GDPR - guidance for employers
- Podcast: Introduction to the GDPR
- Podcast: Primer on the General Data Protection Regulation (GDPR)
The legal grounds for processing data
- Will there be changes to the rules on obtaining consent to process personal data under the GDPR?
- When can employers rely on employees' consent to process their data under the GDPR?
- Other than consent, what legal grounds will there be for processing personal data under the GDPR?
- How to start preparing for the GDPR
- How to develop and implement a GDPR compliance programme
- How to conduct an audit of HR personal data for the GDPR
- Webinar: Processing without consent - taking a deeper dive into the GDPR
- What is personal data under the GDPR?
- Will employers be able to carry out criminal records checks under the GDPR?
- Will employers be able to gather and analyse information for equality monitoring purposes under the GDPR?
- Should employers ask job applicants for consent to process their data under the GDPR?
- What are an employer's obligations under the GDPR in relation to emails containing personal data?
- How will the GDPR affect the processing and retention of recruitment data by employers?
- What restrictions will the GDPR place on employers transferring employee data outside the European Economic Area?
- How to determine the legal grounds for processing employee data under the GDPR
- What are an employer's obligations under the GDPR if it contracts with a third-party provider to process its employee data?
- Can an employer share HR-related data with an external supplier of HR services without the consent of the employees?
Data retention and erasure
- Will the GDPR affect for how long employers can keep data relating to former employees?
- What is the right to be forgotten under the GDPR?
- How can employers balance employees' right to be forgotten under the GDPR with the need to keep HR records?
- How to manage the retention of employee data under the General Data Protection Regulation (GDPR)
- Webinar: Data retention under the GDPR - your questions answered
Subject access requests
- What data subject access rights will employees have under the GDPR?
- How to respond to subject access requests from employees under the GDPR
Special categories of personal data
- What are an employer's obligations under the GDPR in relation to the processing of sensitive personal data?
- How to obtain and use medical reports on employees