Topics

Data protection

Susie Munro

Editor's message: Data protection is at the top of the HR agenda, with the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018.

The GDPR places a greater emphasis on accountability and being able to demonstrate that you have the procedures in place to protect your employees’ personal data rights. Even relatively small organisations will process a large amount of employee data, so you will need to invest some time and resources into data protection.

If you are thinking that Brexit may provide an excuse for not putting too much effort into compliance, you will need to reassess your approach. As an EU regulation, the GDPR applies automatically in the UK, and will be incorporated into UK law on Brexit. In any event, being able to demonstrate high data protection standards will be essential for British organisations wanting to continue to do business with the EU in the future.

Some of the key areas of data protection that HR needs to be on top of include:

  • providing your employees and other data subjects with privacy notices, setting out specified information about how you will use the information you gather on them;
  • ensuring that you have the right processes in place to deal with special category data lawfully – this is sensitive information about, for example, your employees’ health, race or trade union membership;
  • being ready to respond to data subject access requests from employees, job applicants or others; and
  • ensuring that third-party data processors, such as benefits providers, have appropriate security measures in place to protect the personal data of your employees.

The Data Protection Act 2018 received Royal Assent on 23 May 2018. This replaces the Data Protection Act 1998, and supplements the provisions of the GDPR.

Susie Munro, senior employment law editor

New and updated

  • Coming soon to XpertHR

    Type:
    Editor's choice

    Updated to include information on the forthcoming Pay award forecasts.

  • General Data Protection Regulation

    Type:
    Editor's choice

    Updated to include reference to our latest GDPR-compliant model document, a data protection impact assessment form, for use where processing is likely to result in a high risk to the rights and freedoms of individuals.

  • Data protection impact assessment form (compliant with the GDPR)

    Type:
    Policies and documents

    A model data protection impact assessment for potentially high-risk data processing. The form uses the example of an impact assessment when an employer is proposing to introduce CCTV monitoring in a particular location.

  • Date:
    4 September 2018
    Type:
    Legal guidance

    HR can play an important part in ensuring compliance with the GDPR, helping to avoid thousands of pounds in fines for data breaches. Agata Nowakowska reminds employers of the day-to-day changes that need to be made, if they have not already done so.

  • GDPR: New model worker and contractor privacy notices

    Date:
    30 August 2018
    Type:
    Editor's choice

    XpertHR has added two example privacy notices for organisations to provide workers and contractors with information about how they process their personal data.

  • Worker privacy notice (compliant with the GDPR)

    Type:
    Policies and documents

    A model privacy notice for workers to comply with information requirements under the General Data Protection Regulation (GDPR).

  • Contractor privacy notice (compliant with the GDPR)

    Type:
    Policies and documents

    A model privacy notice for contractors to comply with information requirements under the General Data Protection Regulation (GDPR).

  • Date:
    20 August 2018
    Type:
    Legal guidance

    Organisations are still getting to grips with their obligations under the new General Data Protection Regulation. But if you operate outside the EU, that does not mean you're exempt from the new legislation, as Alice O'Donovan from McGuireWoods explains.

  • Gig economy drivers on collision course with GDPR

    Date:
    16 August 2018
    Type:
    Commentary and analysis

    Some of the major names in the development of the gig economy - such as Deliveroo, Pimlico Plumbers and Uber - may be about to find that the General Data Protection Regulation (GDPR) interferes with core operations within their businesses, writes Seddons solicitor Harry Abrams.

  • GDPR: New model documents on consent, rectification and erasure

    Date:
    1 August 2018
    Type:
    Editor's choice

    XpertHR has added a new form to seek consent to process personal data for a specific purpose, where no other legal basis for the processing applies under the General Data Protection Regulation (GDPR). We also provide new forms and letters for requests for rectification and erasure of personal data under the GDPR.

About this topic

HR and legal information and guidance relating to data protection.

Data protection: key resources

Data protection: quick links

Access our main resources on data protection according to the type of information you need.

Policies and documents: GDPR updates

We provide a list of model policies and documents in which the sample wording has been updated to comply with the General Data Protection Regulation (GDPR), which is in force from 25 May 2018.