Data protection

Susie Munro

Editor's message: Data protection has been at the top of the HR agenda, with the introduction of the General Data Protection Regulation (GDPR) last year.

The GDPR places a greater emphasis on accountability and being able to demonstrate that you have the procedures in place to protect your employees’ personal data rights. Even relatively small organisations will process a large amount of employee data, so you will need to invest some time and resources into data protection.

If you are thinking that Brexit may provide an excuse for not putting too much effort into compliance, you will need to reassess your approach. As an EU regulation, the GDPR applies automatically in the UK, and will be incorporated into UK law on Brexit. In any event, being able to demonstrate high data protection standards will be essential for British organisations wanting to continue to do business with the EU in the future.

Some of the key areas of data protection that HR needs to be on top of include:

  • providing your employees and other data subjects with privacy notices, setting out specified information about how you will use the information you gather on them;
  • ensuring that you have the right processes in place to deal with special category data lawfully – this is sensitive information about, for example, your employees’ health, race or trade union membership;
  • being ready to respond to data subject access requests from employees, job applicants or others; and
  • ensuring that third-party data processors, such as benefits providers, have appropriate security measures in place to protect the personal data of your employees.

The Data Protection Act 2018 received Royal Assent on 23 May 2018. This replaces the Data Protection Act 1998, and supplements the provisions of the GDPR.

Susie Munro, senior employment law editor

New and updated

About this topic

HR and legal information and guidance relating to data protection.