Like me, over the last few weeks you have probably received a flurry of emails from companies you have engaged with in some way in the past, asking for permission to continue to send you emails. Without an explicit opt-in they will no longer be allowed to send further emails.
These messages are coming as a result of GDPR, the new European rules about data privacy and regulation. These new rules mean that people have to explicitly opt-in to have their emails stored and used. Organisations that break these laws and don’t comply with the new protections could receive hefty fines.
As an owner or manager of a business you have probably sent a similar message to your own subscribers and customers. How have you been addressing the changes to your employees’ data? At Dakota Blue we have been carrying out GDPR work to ensure we are prepared, and we have been supporting a number of our clients to ensure they are GDPR compliant with regards to employee handbooks and contracts and so forth.
The information that employers must supply to employees about the processing of their personal data under the GDPR is significantly more detailed compared to the Data Protection Act 1998.
An employee Privacy Notice is a source of information that explains to a person: what; how; where; why and when, an employer (in this instance the data controller) will process their personal data.
There are numerous types of employment related data that employers process and under GDPR it is mandatory that employers provide certain information to their employees. HR related data must be processed in a fair and transparent way.
Organisations that issue a Privacy Notice will be taking a key step towards achieving GDPR compliance. The ICO website advises that the starting point of a privacy notice should be to tell people:
- who you are
- what you are going to do with their information
- who it will be shared with.
When an employer is constructing a Privacy Notice they need to start by understanding what data they hold, how it is processed and who has access to it. Carrying out an HR audit will help with this. A template privacy policy can be useful as a starting point however, employers need to tailor it to reflect their individual business and the way it processes the personal data of employees.
A Privacy Notice should be communicated either as a hard copy or electronically to people at the point of data being collected. For example, when a job applicant applies for a role, they should receive an ‘applicant’ Privacy Notice.
The Privacy Notice should provide sufficient detail so that individuals have a clear knowledge and understanding of the types of data held about them, the nature of the processing and their rights under GDPR.
Organisations that are transparent and that provide accessible information to individuals about how they will use their personal data will be taking a key step to compliance with GDPR.
For more information on GDPR visit the ico. website.
Read our blog on GDPR.