If you have already read around the subject of the GDPR, you might be aware that there are other conditions for processing data, instead of consent, such as legitimate interest or if the data processing is necessary to fulfil a contract or legal obligation.
Just because you don’t always need to rely consent, doesn’t mean you don’t always need to inform your employees of the data you’re processing. As an employer, you should consider how you’re going to inform your employees of the following:
Communicating this to all existing employees should be done preferably in good time before the GDPR comes into force on May 25th, 2018. This will allow you to be able to make any necessary changes to data in light of any objections or amendments before the regulation is in place, demonstrating your commitment to best practices.
Communications must be made in plain, clear language. This will aid employees to understand GDPR obligations, and hopefully reduce potential resistance from employees to any changes.
If everyone within your company is aware of the data controls in place, anyone working outside those parameters can be dealt with accordingly. This article is for general information purposes only and does not constitute legal or professional advice.
1. What employee data you need to process
Employees should know that data is minimised and relevant. No excess or unnecessary data is allowed to be processed without consent or other lawful reason.
2. Why you need to process employee data
You should inform employees that data you will need to process is in line with legal obligations, or to fulfil a contract they have agreed to.
3. How you’re going to process employee data
You should let the employees know which job roles will come into contact with their data; if their data will be passed to any third parties; or, if their data will be moved outside of the EEA (European Economic Area)
4. Where employee data will be stored
Following the previous point, this is an opportunity to reassure employees that their data is securely stored. You should let them know if their data will be stored onsite or elsewhere.
5. What employees can do if they have any objections
If an employee has any objections to the data processing procedures you put in place, then you will need to let them know how to log these. This will allow you keep an audit of any objections, and demonstrate the appropriate action was taken in response to the objection, such as the deletion of data.
6. Who employees should contact to amend data
Usually this would be the HR department, although some companies might decide on a line manager.
7. How employees can access their data
Again, this would usually be through contacting HR. If you are a People® customer and have self-service, your employees can access their information through the People system, either online or via the Apple or Google Play app.
8. What security risks to look out for
Prevention is better than the cure. Making employees aware of the security risks your organisation faces, and how to avoid them, will help reduce the risk of a data breach.
9. Who employees should report a data breach to, and when to report it
The ICO has strict guidelines for breach reporting. Make sure your employees know who to tell about a data breach if they spot one. This would usually be a line manager, or your data protection officer.
10. The consequences of a data breach
Making your employees aware of the consequences of a data breach might help them to realise the importance of information security. Again, this might help to mitigate information security risks.