Having spent a significant amount of time since the start of the year advising clients on their GDPR obligations, and helping them to prepare documents to evidence compliance, we thought it would be helpful to share the most frequently asked questions on this issue:
Can I just use a template privacy notice that I found online?
It is unlikely that a template privacy notice will be GDPR-compliant. The Privacy notice needs to be tailored to each organisation, setting out their specific data collection and handling practices, and linking each type of data collected with the legal ground(s) the employer relies on for processing it.
Must we update our data protection policy?
While there is no specific legal requirement to have any data protection policy at all, having a policy will help employers comply with the new accountability principle under the GDPR. It will show that an organisation has properly considered their obligations, has a procedure in place for collecting, processing and storing data, and is also aware of an individual’s rights in respect of accessing this data.
Do we need to get staff to sign and return a copy of any updated data protection policy?
The GDPR does not require employees to sign an acknowledgement of receipt of any updated policy. However, employers need to demonstrate that they have properly informed employees of their data collection and handling practices, so just redrafting your policy and telling staff you have done so would not be enough. An email to all staff flagging up the new policy and asking them to read it would be sufficient, making sure they know who they can contact if they have any queries or wish to exercise any of their rights relating to their personal data. Online training courses for staff on the GDPR are also a good option.
Do we need a Document Management and Retention Policy?
Under the GDPR, employers must ensure that personal data is kept no longer than necessary so time limits should be established by the employer for erasure of this data or for a regular review of what data they hold and why. A document setting this out will show that an organisation has considered this issue and has proper procedures in place regarding the management and retention of documents containing personal data.
Do we need to re-issue updated contracts of employment to all staff containing revised data protection clauses?
No. You will of course no longer be able to rely on any generic consent clauses in existing contracts, but your privacy notice should set out the other grounds you will be relying on for collecting and processing personal data going forward. Any generic consent clauses should be removed from contacts issued going forward and replaced with a cross-reference to your privacy notice.
Can Mundays help draft privacy notices, data protection policies and new contract clauses?