call us now 0203 669 2216

GDPR compliance for employers: checklist

This checklist sets out issues for employers to consider regarding the personal data of employees when assessing compliance with the General Data Protection Regulation ((EU) 2016/679) (GDPR) and the Data Protection Act 2018.

This checklist provides a summary of the key steps for employers to take regarding employee personal data when assessing compliance with the General Data Protection Regulation ((EU) 2016/679) (GDPR) and the Data Protection Act 2018 (DPA 2018). Businesses should follow a similar process in relation to personal data they process in relation to other types of staff, such as workers, contractors, freelancers, agency staff and interns.

This checklist does not constitute legal advice but merely guidance and you are encouraged to seek specialist legal advice.

Action Relevant provision(s)
Employee data audit

  • HR to work with legal, compliance, IT and commercial/operations teams
  • Identify what personal data you hold about employees and candidates (and where it came from)
  • Identify all the ways in which you process personal data and the purposes of the processing
  • Verify how long you currently retain the personal data and how long you need to keep the personal data for the purpose for which it is collected
  • Identify any parties to whom you transfer personal data, including any international data transfers, for example, payroll and benefits providers and other group entities
  • Review any associated contracts
  • Audit current HR processes for compliance with the principles of “data protection by design” and “data protection by default”
  • Identify any automated decision-making within HR processes, for example, in recruitment (automated rejection and short-listing), triggers for sickness absence or disciplinary action, attendance bonuses, shift and holiday rostering, and employee monitoring
  • Ensure the audit is properly documented
Identify any lawful basis for processing employee personal data that had been relied on under the DPA 1998

  • This will likely be employee consent, possibly obtained via a clause in the employment contract
  • Confirm current basis for processing “sensitive personal data” (including details of criminal convictions and offences)
Schedule 2, Data Protection Act 1998 (DPA 1998)

Schedule 3, DPA 1998 (sensitive personal data)

Identify lawful basis for processing employee personal data under GDPR

One of the following must apply:

  • The employee gives valid consent (although consent will not be valid where there is a clear imbalance between the data subject and data controller, such as in an employment context)
  • Necessary to carry out the employment contract
  • Necessary for the employer to comply with a legal obligation
  • Necessary to protect the vital interests of the employee or another person
  • Necessary in the public interest or if the employer is exercising official authority
  • Necessary for a legitimate interest of the employer or a third party which is not overridden by the interests or fundamental rights and freedoms of the employee
Article 6, GDPR (lawful grounds)

Recitals 32, 42 and 43 and Article 7, GDPR (consent)

Identify lawful basis for processing special categories of employee personal data (formerly known as “sensitive personal data”) under GDPR
One of the following must apply:

  • Valid explicit employee consent
  • Necessary for carrying out employment rights and obligations, it is authorised by domestic or EU law and the employer has an appropriate policy document in place
  • Necessary to protect the vital interests of the employee or another person where the employee is incapable of giving consent
  • Processing by a foundation, association or not-for-profit with a political, philosophical, religious or trade union aim
  • If the employee has made the personal data public
  • Necessary for the employer to establish or defend legal claims
  • Necessary for reasons of substantial public interest (including the processing of personal data revealing race, religious beliefs, health or sexual orientation for the purposes of promoting equality of treatment, and including processing necessary to determine eligibility for or benefits payable under an occupational pension scheme which can reasonably be carried out without the employee’s consent), and the employer has an appropriate policy document in place
  • Necessary for the assessment of the employee’s working capacity either on the basis of domestic or EU law or pursuant to a contract with a health professional, and subject to confidentiality safeguards
Article 9, GDPR

Recitals 32, 42 and 43 and Article 7, GDPR (consent)

Section 10; paragraphs Parts 1, 2 and 4, Schedule 1, DPA 2018

Identify lawful basis for processing of employee personal data relating to criminal convictions and offences under GDPR
The processing must be authorised by domestic or EU law and, if authorised by domestic law, one of the following must apply:

  • Necessary for carrying out employment rights and obligations and the employer has an appropriate policy document in place
  • Valid employee consent (although consent will not be valid where there is a clear imbalance between the data subject and data controller, such as in an employment context)
  • Necessary to protect the vital interests of the employee or another person where the employee is incapable of giving consent
  • Processing by a foundation, association or not-for-profit with a political, philosophical, religious or trade union aim
  • If the employee has made the personal data public
  • Necessary for the employer to establish or defend legal claims
Article 10, GDPR

Recitals 32, 42 and 43 and Article 7, GDPR (consent)

Section 10; Parts 1, 2, 3 and 4, Schedule 1, DPA 2018

Data cleansing

  • Update data retention policy based on results of audit and apply it
  • Securely delete or de-personalise all employee personal data where there is no lawful basis for the processing under GDPR
Amend HR policies and processes

  • For example, procedures relating to recruitment, promotions, compensation, disciplinary, grievances, performance management, sickness absence, employee monitoring and references
  • Update data protection policy
  • Update all policies and procedures to comply with the principles of:
  • ”Data protection by design”: are the data protection principles taken into account in the design and operation of the policy/process? Are any necessary safeguards fully integrated?
  • ”Data protection by default”: are there mechanisms in place to ensure that only the personal data necessary for each specific purpose is processed, including the amount of personal data collected, the extent of processing, the period of retention and the accessibility of the personal data?
  • Conduct a data protection impact assessment (DPIA) if required
  • Notify employees of changes to policies/handbook
Article 25, GDPR (data protection by design and default)

Article 35, GDPR (DPIA)

Automated decision-making (including profiling)

  • Identify the lawful basis allowing you to take decisions that significantly affect an employee based on automated processing:
  • Necessary to carry out the employment contract
  • The employer notifies the employee in writing of a decision based on automated processing and allows the employee the right to request a reconsideration within 21 days
  • Valid explicit employee consent
  • Ensure that suitable measures to safeguard the employee’s rights and freedoms and legitimate interests are in place, including the right to obtain human intervention, the right to express the employee’s point of view and the right to appeal any automated decision
  • Automated decision-making on the basis of special categories of personal data must be permitted by valid, explicit employee consent or in the substantial public interest, with suitable measures to safeguard the employee’s rights and freedoms and legitimate interests
Articles 13(2)(f) and 14(2)(g), GDPR (notification to employees)

Article 22, GDPR

Article 13(f), GDPR (obligation to notify employee)

Section 14, DPA 2018

Data transfers to third parties (other group entities and service providers)

  • Identify lawful basis for all data transfers, including in particular any cross-border data transfers
  • Update all contracts with service providers to ensure they contain the mandatory protections
  • Update procedures so that GDPR compliance forms part of due diligence when entering into a new contract with an HR supplier
Articles 13(1)(f) and 14(1)(f), GDPR (notification to employees)

Article 28, GDPR (contracts with processors)

Chapter V, GDPR

Notify employees of the processing of personal data

  • Whatever the lawful basis for processing, prepare privacy notice to notify employees of mandatory information in clear and plain language within required timeframe
  • Ensure that procedures are updated so that the mandatory transparency information is notified to employees and candidates when required as future personal data is collected or when the purpose of processing changes
Article 12, GDPR (transparency)

Article 13, GDPR (information to be provided when personal data collected)

Article 14, GDPR (information to be provided when the personal data has not been collected from the employee)

Paragraphs 19 and 24, Schedule 2, DPA 2018 (disclosing legally privileged information and confidential references)

Subject access requests

  • Update SAR policy and procedures: new timeline, free of charge unless request is manifestly unfounded or excessive, new information requirements
  • Arrange updated training for all staff who handle SARs
Article 12, GDPR (timeframe for response and fee)

Article 15, GDPR

Paragraph 16, Schedule 2, DPA 2018 (protection of the rights of others: general)

Paragraphs 19 and 24, Schedule 2, DPA 2018 (disclosing legally privileged information and confidential references)

Other individual rights

  • Establish procedures for dealing with the withdrawal of employee consent to processing
  • Establish procedures for dealing with employees’ rights to rectification, erasure (”right to be forgotten”), restriction of processing and data portability
  • Establish procedures for dealing with employees’ right to object to the processing of personal data
Article 7, GDPR (withdrawal of consent)

Article 12, GDPR (timeframe for response and fee)

Article 16, GDPR (rectification)

Article 17, GDPR (erasure)

Article 18, GDPR (restriction of processing)

Article 19, GDPR (obligation to notify new parties)

Article 20, GDPR (data portability)

Article 21, GDPR (right to object to processing)

Recruitment

  • Establish process for notifying candidates of how their personal data is processed and the lawful basis for doing so
  • Prepare candidate privacy notice
Article 12, GDPR (transparency)

Article 13, GDPR (information to be provided when personal data collected)

Article 14, GDPR (information to be provided when the personal data has not been collected from the employee)

Data protection officer (DPO)

  • Establish whether you are required to appoint a DPO
  • If so, appoint a DPO, scope the role in accordance with GDPR requirements and provide them with the necessary training and resources
  • If a DPO is not mandatory, consider designating a senior individual as having responsibility for data protection
Articles 37-39, GDPR
Accountability

  • Can the employer demonstrate compliance with the GDPR in all the above respects?
  • Does the employer keep all mandatory records and can it show them to the ICO upon request?
Article 5(2), GDPR

Article 30, GDPR (records)

Training

  • Arrange updated training for all staff who handle personal data
Article 39, GDPR (obligations of DPOs)
Regular review

  • Ensure that all arrangements and privacy notice are subject to regular review for continued compliance
  • Ensure any policy document relating to the processing of special categories of personal data or criminal convictions is subject to regular review and updated where appropriate

CONTACT

Call or email us to arrange a free consultation.

0203 669 2216

enquiries@herefordssolicitors.co.uk

SHOW LOCATIONS >






2019-02-11T15:56:21+00:00