GDPR FAQ.

Having spent a significant amount of time since the start of the year advising clients on their GDPR obligations, and helping them to prepare documents to evidence compliance, we thought it would be helpful to share the most frequently asked questions on this issue:

Can I just use a template privacy notice that I found online?
It is unlikely that a template privacy notice will be GDPR-compliant. The Privacy notice needs to be tailored to each organisation, setting out their specific data collection and handling practices, and linking each type of data collected with the legal ground(s) the employer relies on for processing it.

Must we update our data protection policy?
While there is no specific legal requirement to have any data protection policy at all, having a policy will help employers comply with the new accountability principle under the GDPR. It will show that an organisation has properly considered their obligations, has a procedure in place for collecting, processing and storing data, and is also aware of an individual’s rights in respect of accessing this data.

Do we need to get staff to sign and return a copy of any updated data protection policy?
The GDPR does not require employees to sign an acknowledgement of receipt of any updated policy. However, employers need to demonstrate that they have properly informed employees of their data collection and handling practices, so just redrafting your policy and telling staff you have done so would not be enough. An email to all staff flagging up the new policy and asking them to read it would be sufficient, making sure they know who they can contact if they have any queries or wish to exercise any of their rights relating to their personal data. Online training courses for staff on the GDPR are also a good option.

Do we need a Document Management and Retention Policy?
Under the GDPR, employers must ensure that personal data is kept no longer than necessary so time limits should be established by the employer for erasure of this data or for a regular review of what data they hold and why. A document setting this out will show that an organisation has considered this issue and has proper procedures in place regarding the management and retention of documents containing personal data.

Do we need to re-issue updated contracts of employment to all staff containing revised data protection clauses?
No. You will of course no longer be able to rely on any generic consent clauses in existing contracts, but your privacy notice should set out the other grounds you will be relying on for collecting and processing personal data going forward. Any generic consent clauses should be removed from contacts issued going forward and replaced with a cross-reference to your privacy notice.

Can Mundays help draft privacy notices, data protection policies and new contract clauses?
Yes!

Insights.

Hurry up and wait – will the new employment tribunal procedure rules address the case backlog?
24th September, 2020

Will new employment tribunal procedure rules to cure the backlog? The backlog waiting to be heard has increased every week since lockdown began.

Registering a Birth during Lockdown
9th September, 2020

If you are looking to register your recent addition to ensure they officially 'exist', the Government has relaxed the 42 day law.

Virtual Will signing #SolicitorChat with The Law Society
3rd September, 2020

With rules changing this month Michael Brierley discussed virtual Will signing with The Law Society and other firms for #SolicitorChat.

Back to the Office?
3rd September, 2020

Back to the office? A lot to consider for both Employers and Employees to ensure all scenarios are covered.