The General Data Protection Regulations aim is to ensure that those processing personal data do so in a way that is consistent with what it is stated they were going to use the data for, keep that data in a safe place, not to keep it for longer than is needed, with the person who the data is about retaining control over that data. Consent to hold such data is the cornerstone of GDPR, as is the right to be informed about how you will process data, and different categories of data.
GDPR has introduced various new definitions, such as:
‘Data Controller’ – being the person who determines the purposes and manner in which any personal data is to be processed.
‘Data Subject’ – the person to whom the personal data refers.
‘Processing’ – obtaining, recording or holding the information. This could include retrieving or disclosing the data. Basically, it covers the full data lifecycle.
‘Personal Data’ – is any information relating to an identified or identifiable natural person.
‘Sensitive Personal Data’ – is that which reveals racial or ethnic origin, or perhaps political or religious or philosophical beliefs.
‘Privacy Notice’ – this is the personal information that must be provided by the Data Controller to the Data Subject when the personal is provided.
So what does this all mean? GDPR sets out various principles which must be adhered to when processing personal data, these include:
- Data must be processed lawfully, fairly and the data subject must be informed about what their data is being collected for, and how it will be processed.
- Collected for specified and legitimate purposes, so that once the specific purpose for which the data is collected it can’t be used for other purposes.
- Adequate and relevant and limited to what is necessary for the purpose it was collected.
- Accurate and where necessary kept up to date.
- Kept in a form which allows identification of Data Subjects for no longer than is necessary, and
- Processed in a manner that ensures appropriate security.
It is therefore essential that as an employer holding information about your employees (or even your customers or clients), you implement processes and procedures to ensure various rights can be served and information can be processed within specified timeframes. Such rights include the right for the Data Subject to be informed about what their data is being used for, the right to be forgotten (so allows the Data Subject to request their information be erased), and the right to obtain a copy of their personal data and for it to be transferred in a safe and secure way.
Our specialist employment team can advise you on how to achieve the consent of the Data Subject in the correct way, and help draft a privacy notice that is relevant to your business. We can also advise you on how to deal with data breaches, and how to ensure your processes comply.