Today (28 January 2021) is Data Privacy Day, which intends to offer an annual reminder of the importance of respecting privacy and safeguarding personal data.
It may seem like a long time since the General Data Protection Regulation (GDPR) was introduced, but it is still very much with us and remains an important part of our day to day lives, even now that we have left the EU.
So, what exactly does an employer have to do under data protection law?
Issue Privacy Notices
All employees and job applicants must be given a privacy notice setting out information about what sort of information is collected about them, how long it is kept for, who has access to it, amongst other details.
Train Staff
Employees must also be trained about data protection so that they know how to look after the personal data of clients and customers.
They should also be alive to the fact that they may receive a subject access request, which basically requires personal data to be disclosed to an individual. Such requests have a short timescale to respond, usually just 30 days, and so it is important that employees flag them as soon as possible to give adequate time to collate the necessary documentation.
Keep Policies Up to Date
It is recommended that employers have a data protection policy in place which sets out their approach to handling personal data and makes clear to employees what is expected of them.
Other policies, such as those relating to IT, communications and social media are also relevant to data protection and should be kept up to date.
With most of us working from home at the moment, additional provisions may also need to be included to ensure copies of documents are stored away securely and access to electronic equipment belonging to the employer is restricted to the employee’s use only.
Report and Record Data Protection Breaches
Serious data protection breaches involving the personal data of employees, as well as clients or customers, need to be reported to the Information Commissioners Office (ICO), the Data Protection regulator in the UK, usually within 72 hours of the breach occurring.
Even if a breach is not considered sufficiently serious to report to the ICO, an internal register of all breaches must be maintained.
Employees must be made aware that they need to report all breaches, no matter how insignificant they might consider them to be.
If you would like to review your data protection documentation, please contact us on 0345 646 0406 or fill in our online enquiry form and a member of our Team will be in touch.