This is a preview. To continue reading, register for free access now. Register now or Log in

Data protection

Original author: Ellen Temperton, Lewis Silkin LLP
Updating author: Nicky Stibbs

XpertHR editor: Laura Merrylees

Summary

  • The UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU) (UK GDPR) imposes strict requirements on organisations around the security of, and transparency about, the personal data that they process. (See Introduction)
  • Data controllers must comply with the data protection principles in the UK GDPR and should adopt a "data protection by design and default" approach. (See Principles for processing personal data and Data protection by design and default)
  • For a data controller to be able to process personal data, one of the legal grounds for processing must apply. (See Legal grounds for processing personal data)
  • Consent is unlikely to be a legal ground for processing employees' personal data. (See Consent)
  • Employers can process special categories of personal data such as information about workers' health, and personal data about criminal records, only where limited conditions are satisfied. (See Special categories of personal data and Criminal convictions and offences)
  • Privacy notices must include information about the personal data that employers process and employees' rights in relation to their data. (See Privacy notices)
  • Most employers will need to record their processing activities and carry out privacy impact assessments. (See Records of processing activities and Privacy impact assessments)
  • Data controllers must report certain data protection breaches to the individual concerned and the Information Commissioner's Office. (See Handling personal data breaches)
  • Under the UK GDPR, data subjects have a number of rights in relation to the personal data held about them, including the right of access and the right to have data rectified or erased. (See Data subject rights)
  • Breaches of the data protection rules may attract a heavy fine. (See ICO fines)