DATA PROTECTION DAY - UNDERSTANDING GDPR

Written By Sam Butler

A Reminder of GDPR Obligations for Employers

Today, 28 January, marks Data Protection Day, an annual opportunity to reflect on the importance of safeguarding personal data. For employers, this day serves as a timely reminder to ensure compliance with the General Data Protection Regulation (GDPR) and other data protection laws. As stewards of sensitive employee information, employers carry significant responsibilities to manage and protect personal data. Below, we outline an overview of GDPR, an employer’s obligations, and how to navigate common tricky issues.

Understanding GDPR

The GDPR, which came into effect in May 2018, sets out comprehensive rules governing the processing of personal data. Its principles aim to protect individuals’ rights to privacy and control over their personal information. Employers in the UK must also adhere to the UK Data Protection Act 2018, which operates alongside GDPR.

Key GDPR principles include:

  1. Lawfulness, fairness, and transparency: Employers must process personal data in a lawful and transparent manner.

  2. Purpose limitation: Data must only be collected for specified, explicit, and legitimate purposes.

  3. Data minimisation: Employers should process only the data necessary for the intended purpose.

  4. Accuracy: Employers must ensure data is accurate and up to date.

  5. Storage limitation: Data should be retained only for as long as necessary.

  6. Integrity and confidentiality: Employers must implement security measures to protect data.

  7. Accountability: Employers must demonstrate compliance with GDPR.

Failure to comply can lead to significant fines, reputational damage, and legal action, making compliance essential.

Employer Obligations Under GDPR

Employers process a substantial amount of employee data as part of routine operations, including recruitment, payroll, performance management, and disciplinary actions. Compliance requires robust systems and processes that address the following key obligations:

1. Lawful Basis for Processing

Employers must establish a lawful basis for processing employee data. Common bases include:

  • Contractual necessity: Data needed to fulfil an employment contract.

  • Legal obligation: Data required to meet statutory obligations (e.g., tax records).

  • Legitimate interests: Data processing necessary for the employer’s legitimate business interests, balanced against the employee’s rights.

Importantly, relying on employee consent is discouraged in most scenarios, as the power imbalance in the employment relationship can render consent invalid.

“Data protection is a critical responsibility for employers, with GDPR setting high standards for compliance. By understanding and addressing their obligations, employers can minimise risks, build trust with employees, and avoid costly penalties.”

2. Privacy Notices

Employers must provide employees with a privacy notice that clearly explains:

  • The types of data collected.

  • The purposes for processing data.

  • How long data will be retained.

  • Who data may be shared with.

  • Employee rights under GDPR.

Privacy notices should be concise, transparent, and regularly updated.

3. Data Security

Employers must implement appropriate technical and organisational measures to protect data. This includes:

  • Encrypting sensitive information.

  • Restricting access to data on a need-to-know basis.

  • Ensuring IT systems are secure against cyber threats.

Regular staff training is crucial to ensure employees understand their responsibilities in maintaining data security.

4. Responding to Data Subject Access Requests (DSARs)

Employees have the right to request access to their personal data. Employers must respond to DSARs within one month (although this can be extended to three months in scpecific circumstances), providing a copy of the requested data and explaining how it is processed.

“As we mark Data Protection Day, now is the perfect time to review your organisation’s data protection policies and practices. Are they robust enough to meet the challenges of GDPR compliance?”

5. Data Breach Management

In the event of a data breach, employers must:

  • Assess the risk to individuals.

  • Notify the Information Commissioner’s Office (ICO) within 72 hours if the breach poses a risk to individuals’ rights.

  • Communicate with affected individuals if the breach is likely to result in a high risk to their rights.

Tricky Issues in Data Protection

While many employers strive to comply with GDPR, certain situations can pose challenges. Below, we address some of the most common tricky issues.

1. Inadvertent Data Breaches

Human error is one of the leading causes of data breaches. Examples include:

  • Sending emails containing sensitive information to the wrong recipient.

  • Misplacing physical files.

  • Improper disposal of documents.

To mitigate this risk:

  • Regularly train staff on data protection.

  • Implement safeguards like email encryption and access controls.

  • Conduct audits to identify and address vulnerabilities.

2. Handling Data Subject Access Requests (DSARs)

DSARs can be complex and time-consuming, especially when they involve large volumes of data or contentious circumstances such as disciplinary action or grievances.

Employers should:

  • Develop clear procedures for handling DSARs.

  • Redact third-party information where necessary to protect others’ privacy.

  • Seek legal advice if unsure about compliance.

“If you’re unsure or need guidance, our team of employment law experts is here to help.”

3. Balancing Monitoring and Privacy

Employers may monitor employee activities (e.g., email usage or CCTV) for legitimate purposes, such as ensuring productivity or preventing misconduct. However, excessive monitoring can infringe on employees’ privacy rights.

Employers must:

  • Inform employees of monitoring activities through a clear policy.

  • Ensure monitoring is proportionate and justified.

  • Avoid intrusive practices, such as monitoring personal communications.

4. Managing Third-Party Access

Outsourcing services (e.g., payroll or IT support) often involves sharing employee data with third parties. Employers remain responsible for ensuring that third-party processors comply with GDPR.

Steps to ensure compliance include:

  • Conducting due diligence on third-party providers.

  • Including GDPR-compliant data protection clauses in contracts.

  • Monitoring third-party compliance.

Data protection is a critical responsibility for employers, with GDPR setting high standards for compliance. By understanding and addressing their obligations, employers can minimise risks, build trust with employees, and avoid costly penalties.

As we mark Data Protection Day, now is the perfect time to review your organisation’s data protection policies and practices. Are they robust enough to meet the challenges of GDPR compliance? If you’re unsure or need guidance, our team of employment law experts is here to help.

Sam Butler https://www.horsfieldmenzies.com/sambutler
Previous

LGBT+ HISTORY MONTH: Why Employers Should Take Notice
Next

THE EQUALITY (RACE & DISABILITY) BILL