It is not only an organisation’s clients that are protected under the General Data Protection Regulation (GDPR), but employees as well. The new law aims to strengthen people’s rights to privacy and protect their personal data. This does not just apply to people opting into the company’s online marketing campaigns, but rather everyone involved with the organisation such as suppliers and of course, employees.

The GDPR provides guidelines as to what companies need to have in place to ensure that employee’s information is handled in the correct manner and their privacy is protected at all times. Organisations will be held accountable for how they handle the information that their employees provide them. Personal data for your employees is sensitive much of the time e.g. racial or ethnic origin, religious beliefs, trade union membership, data relating to health including mental health and sexual orientation. It is imperative that the correct procedures are adhered to ensure information breaches are minimised.

What do I need to have in place for my employees?

Privacy Notice – As an employer, you need to provide a list of information to your employees. This list must be in a clear and user-friendly format. recommends having a separate Privacy Notice for your job candidates as the information to be given to them will be different to the information to be given to employees.

For example, candidates may give you their CVs at a networking event or they may ask you to contact them with job opportunities. For all these scenarios you need to be able to demonstrate that you have been transparent. You can e-mail them later with your recruitment privacy notice and the rest of the necessary information.

Data Protection Policy – your company must have a data protection policy that is tailored to your business requirements and should include key messages to staff involved in collecting data, specifying that they only collect the minimal amount of data (e.g. we take data protection seriously, security rules must be followed when handling any data, breach of this Policy will lead to disciplinary action.)

What do I need to do with contracts of employment?

You need to be sure that you rely on a legal basis other than consent for the processing of employees’ personal data. Also, introduce the concept of disciplinary action for data protection breaches. The contracts that are already in place with current employees may only be revised with the consent of each employee. We recommend that you leave these contracts in place as they are, create a Privacy Notice and explain to your employees that you no longer count on the consent provisions in their contracts.

Ideally, employers should look for another legal basis for processing in the first instance, so that if explicit consent is withdrawn, you are able to still process sensitive data.

For example, an alternative for the “Consent” legal basis can be considered “Legal obligation” where the processing is necessary for carrying out the legal rights and obligation of the employer and employee as authorised by employment/social protection law or contained in a collective agreement.

It should be a priority for every employer to ensure that employees’ data remains private and this data is processed in the correct manner, just as ensuring their client’s data is collected and maintained according to the stipulated protocols.