All UK employers are expected to comply with the GDPR as it seeks to increase protection around the unauthorised use of employee’s personal data. The added duties which accompany the GDPR have caused much consternation amongst employers as many fear the onerous task of altering long established workplace practices to remain compliant.
A common question for employers to consider is whether they need to amend pre-existing employment contracts to comply with the GDPR. Naturally this is a concern for employers given how the process for amending contractual clauses can typically include a prolonged consultation period. However, there is no specific obligation to amend an employee’s contract although employers may wish to update any references to previous data protection laws.
Instead, under GDPR, employers can use a separate privacy notice for all current and future employees to meet the employee’s right to be informed. Privacy notices should provide sufficient information on the processing of employee’s personal data including the business reason(s) and legal basis for doing so. Employees also have a right to be informed of the retention period of their personal data and of their own data rights.
Employers can also consider creating a specific GDPR and data protection workplace policy to provide an information and guidance document for all members of staff. They should also review and amend existing policies on matters such as IT usage and CCTV surveillance to ensure they remain in line with the new obligations under GDPR. Having appropriate policies is key to outlining an organisations continued commitment to the GDPR and will help ensure business practices remain compliant.
As with any new legislation, the first few months following GDPR may result in an influx of employee queries as staff seek to gain a greater understanding of their rights. Employers can consider ways to inform staff by deconstructing the complexities of GDPR into laymen’s terms. Therefore, it may be beneficial to provide updated employee handbooks or arrange for staff training sessions to explain the everyday practicalities of GDPR and what it means for them.
As the deadline approaches employers are urged to make proactive attempts to get to grips with GDPR. Rather than having to re-invent the wheel, in many cases measured additions to existing workplace practices will help ensure your organisation remains compliant come 25th May.