Fitzgerald Logo
GET A FREE CONSULTATION Call Us: 03302 235 253
GET A FREE CONSULTATION Call Us: 03302 235 253
,

The Complete Guide to GDPR for Employers

An image showing a hand writing GDPR. Read our GDPR for employers guide.
Last Updated On:
Photo of author
Charlotte Pengelly
HR Resources and Tools, People Policy and Process

GDPR Guidance for Managers

We’ve designed a GDPR guidance specifically for managers. You can edit this in line with your existing internal procedures. Download your copy by completing the form above. While you’re here, take a read of our complete guide to GDPR for Employers below.

The Complete Guide to GDPR for Employers

Introduction

The EU General Data Protection Regulation came into effect on 25th May 2018 for all EU states and impacted all organisations in the UK.

The GDPR was an evolution of the Data Protection Act 1998, not a revolution. This guide provides information on the key changes that the GDPR brought and what they mean for employers.

The impact of the GDPR for employers should have resulted in a more transparent relationship between employer and employee. The legislation gave employees more rights and control over the processing of their personal data.

The GDPR also has stricter regulations and enforcement of penalties to ensure that organisations are held accountable. Increased penalty fines for data breaches are up to €20 million or 4% of your organisation’s turnover.

It’s important to also note that individuals can claim compensation (financial compensation and damages for distress) for breach of the GDPR against the Data Controller and Data Processors.

It is expected that the Information Commissioner’s Office (ICO) will take a sensible attitude to ensuring compliance and be more helpful than trying to catch us out. However, that doesn’t mean that compliance isn’t a requirement.

In this guide to GDPR for employers, employees are referred to throughout. However, the same will apply to workers, consultants and job applicants so please keep in mind that the same rules apply to all categories.

As an employer, you will be controlling and processing a significant amount of data relating to activities such as: payroll; discipline; grievances; training; health and sickness; time off; and performance management (to name just a few).

Personal data can include information such as financial data, personal and health information, CCTV images, and appraisal and performance documentation. It is not always data that is about an employee, it can also be information provided to you by the employee. For example, an email that an employee sends to their manager asking for urgent domestic leave is personal data.

Important GDPR principles

An overview of the important concepts and principles of GDPR for Employers

Six Data Protection Principles

The six “Data Protection Principles” are that personal data must:

  1. be processed fairly, lawfully and transparently;
  2. be collected and processed only for specified, explicit and legitimate purposes;
  3. be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
  4. be accurate and kept up to date (any inaccurate data must be deleted or rectified without delay);
  5. not be kept for longer than is necessary for the purposes for which it is processed; and
  6. be processed securely.

Personal Data

Personal data is information or data that relates to a living person. The actual definition under the GDPR is:

“any information relating to an identified or identifiable natural person”.

Names, addresses, contact details, health records, any expression of opinion about that person, and any intention of the data controller in respect of that individual, amounts to personal data. For example, if a manager sends an email saying she is considering performance managing an employee, this will amount to personal data.

Sensitive Personal Data

The definition of sensitive personal data under the GDPR is:

“data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.”

Data Processing

The GDPR defines the processing of data as:

“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

To summarise, processing data includes: recording or holding data; disclosing the data; using the data for any reason before, during or after a person is employed by you; and/or deleting or destroying the data.

Accountability

You have a duty to show compliance with these principles. It won’t be enough to say that you are compliant – you must be able to prove it if asked. In order to do so, you will need to show that you have:

  • robust, detailed data protection policies;
  • provided internal training for relevant staff; and
  • records of processing activities (e.g. data retention periods, transfers of personal data outside the EU, details of the recipients of personal data).

This information can be requested at any time by the ICO.

You will be required, therefore, to keep extensive internal records of data processing operations. To do this easily, create a data register containing information about all personal data processed by your organisation, including:

  • the purposes for which the data is processed;
  • a description of the categories of data subjects and the categories of personal data, including if the data is sensitive personal data;
  • any transfer of the data outside the EEA;
  • the legal bases for processing the data;
  • the anticipated retention periods for the different categories of data; and
  • the technical and organisational security measures used to safeguard the data.

Privacy is the cornerstone of GDPR

GDPR places data protection at the forefront of every organisation’s activities. You are required to continuously build privacy and data protection into your systems. The best way to do this is to minimise the data that you collect and only use it for the purpose of why data was obtained in the first place.

Processing personal data

In order to ensure that data is processed on a lawful basis, you’ll need to be able to show that you are processing it for one of the following reasons.

  1. You have the consent of the employee to process the data.
  2. You can demonstrate that it is necessary for the performance of a contract with the employee, or necessary to do something before entering into the contract with the employee (e.g. taking up references).
  3. You need to process the data in order to comply with a legal obligation (e.g. providing information to HMRC or to an employment tribunal).
  4. It is necessary to protect the vital interests of the employee or someone else (e.g. the employee’s life is in danger or their health is at risk).
  5. It is in the public interest.
  6. It is necessary for the purposes of the legitimate interests of the employer or a third party (but note: this can be overridden by the interests and fundamental rights and freedoms of the employee).

Processing sensitive personal data

Employers are only allowed to process sensitive personal data in certain situations. These include one or more of the above but you must also have the employee’s specific consent, unless:

  • the employee has already made it public (e.g. posting on social media); or
  • you are carrying out your responsibilities under employment law (e.g. health and safety of employees, TUPE, unfair dismissal or compliance with discrimination laws); or
  • you are defending legal claims; or
  • you are protecting the vital interests of the employee or another person; or
  • you need to obtain an assessment of the person’s working capacity.

Transfers to non-EU Countries

If you are transferring employee personal data or sensitive personal data to a non-EU country, you can only do it if there are appropriate safeguards. You are required to do this in line with a contract incorporating what’s known as the EU Model Clauses.

Following Brexit, the EU is currently determining whether further safeguards are required for data transfers between the UK and the EU. If this would affect your data transfers, you can find out more guidance on the ICO website depending on your circumstances.

Lawful grounds for processing employee data

Lawful grounds for processing data

Getting consent to process data was already standard under the Data Protection Act (DPA) 1998. Under this act, consent is implied unless there is an objection. If you still have a clause in your contract that gives you a blanket right to process your employees’ data, this is no longer be sufficient under the GDPR.

By incorporating that clause into the contract of employment, we leave the employee with little option but to accept the clause in order to agree to the contract. It’s difficult for an employee to refuse to give consent if it’s presented as a normal and standard term as part of a contract of employment.

To rely on consent under the GDPR, we must be able to demonstrate that it was:

  • freely given;
  • specific;
  • informed;
  • unambiguous; and
  • distinguishable.

In particular, if you’ll be processing sensitive personal data, consent must be explicit. Keep in mind therefore that a consent clause in your employment contract will no longer be enough. Even if the contract isn’t issued on a take it or leave it basis, the employee could argue they felt under pressure to accept it.

No genuine choice means consent has not been freely given.

Consent now needs to be distinguishable. It can’t be buried in contracts of employment, policies, or handbooks. It needs to be a separate document with a signature box for employees to sign so you can evidence that the employee has given consent to the data processing.

Specific consent to the sharing of personal data will sometimes be requested at the time (e.g. taking up references, an occupational health referral or mortgage application). However, this will be rare, so the agreement that you make with your employees in relation to data processing will need to be well drafted in order to ensure it can be relied on, as much as possible.

Blanket consent is no longer specific. You’re advised therefore to list each purpose for data processing specifically, and you need to allow the employee to consent/or not, to each one. Some purposes for processing data can be grouped together but there is a risk this could be challenged. If this happens, you might have to stop processing the data and seek consent each time you’re processing a different category of personal data from original consent.

When drafting your employee data protection policy or privacy notice, note that employees need to be able to withdraw consent for one category of processing data without withdrawing consent for processing all data. You also have to make it easy for employees to withdraw consent.

Due to the difficulties in relying on consent, we believe it should be the last resort to rely on when processing personal data.

2. It is necessary for the performance of the employment contract

This could include, for example, holding data in order to process an employee’s salary and other benefits. When asking if you can hold personal data for the purposes of a disciplinary investigation you may also argue that this is necessary for the performance of the contract.

However, holding personal data to improve the business, (for example a restructure or reorganisation) is unlikely to fall under this category of lawful grounds. It may, however, fall under one of the other grounds detailed below.

An example of this is where you are required to disclose personal data to HMRC, or if you work in a regulated sector, or if you need to comply with a disclosure request from an employment tribunal.

4. Protecting the employee’s vital interests

This may include holding and processing information about an employee’s emergency contacts, or information about them having an allergy.

5. It is in the public interest

This would be used if data processing is necessary for a public authority to complete a public task, such as the administration of justice, parliamentary functions, statutory functions, or governmental functions.

This is unlikely to apply to the majority of private companies. You must be able to prove that processing is necessary for a relevant task, function or power which is clearly set out in law.

6. Processing personal data in pursuit of the employer’s legitimate interest

In terms of grounds for processing personal data, this one may be more open to challenge but it’s also very helpful. When relying on this, it’s essential that the interests of the employer mustn’t be overridden by the interests, or fundamental rights and freedoms, of employees. It is, therefore, a balancing exercise through which you need to establish that you have compelling enough grounds to continue processing the data. The ICO says that this could be the employer’s interests or a third party’s interests.

Note also that processing must be necessary. Legitimate interests won’t apply if you can do it another way so it’s important to balance your interests against the interests of the employees.

If you plan to rely on this then you have to tell the employees which specific interests you are referring to (for example, in order to comply with a customer contract) and you must notify the employees of their right to object. You must also have a policy that demonstrates you have told the employees of the specific legitimate interest you’re relying on or it may be difficult to justify. If you can’t show that you do have a legitimate interest, you may have to stop the processing.

GDPR for employers information sharing

GDPR for Employers: Information that you must provide to employees

Under the GDPR, employers are required to provide employees with the legal basis you’re relying on for processing their data. This should be in a document such as a privacy notice or employee data protection policy and it needs to be concise, transparent, easily accessible and written in plain language.

Below are the key things you need to include in your privacy notice or employee data protection policy to ensure that you’re compliant.

  • You must tell the employees the identity of the data controller and of any data protection officer.
  • You must tell them the purpose of the processing and the lawful basis you’re relying on.
  • If relying on the employer’s legitimate interest for processing the data, you need to say what that legitimate interest is.
  • You also need to tell employees the source and category of the data (unless it has come from the employee).
  • You should say who will receive the data; this doesn’t need to be the name of the company that will receive the data, but it should be the category (for example: Occupational Health Provider).
  • You must tell them the period the data will be stored for or the criteria you’ll use to work out the period for retention.
  • You need to tell employees of their data subject rights, that they have the right to withdraw their consent, and that they can complain to the ICO.
  • If the personal data will be transferred outside the EU, you must tell the employees the legal basis for this and the safeguards you have in place to protect their data.
  • You should also tell the employees about any automated processing and profiling.

How and when to issue the privacy notice or employee data protection policy

The policy needs to be concise, accessible and in plain language. It should be given at the time that the data is obtained from the employee or within one month of processing (this is a guideline from the ICO). Keep in mind that you will need an evidence trail. Ask employees to sign and return or acknowledge the policy in some way so that you can show that you have complied.

Data Protection Officers (DPO)

Public authorities, or organisations whose core activities involve processing large amounts of data, must have a Data Protection Officer. Employers in financial services and the insurance sector are likely to be affected more by this.

If you don’t fall into one of these categories, you are unlikely to need to appoint a Data Protection Officer unless you want to appoint someone. The GDPR has specific rules for DPOs.

Data Protection Impact Assessments

Data Protection Impact Assessments are there to help you identify the most effective way to comply with your data protection obligations. The ICO has guidance on how to conduct a data protection impact assessment.

You only have to do an assessment under the GDPR when processing data in a way that is high risk to individuals (e.g. processing data in a systematic and extensive way such as may be done in the insurance or consumer industry), or if you’re engaged in large scale or systematic monitoring of data in relation to criminal convictions or CCTV in public areas.

Breaches of Security

Breaches of security can happen by accident: sometimes we send an email to the wrong person, lose a memory stick or leave our phone or laptop on the train. Other times it can be deliberate.

If there is a personal data breach in your organisation that is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO within 72 hours (if possible).

If the notification is made outside 72 hours, you must have “reasoned justification” for this. When providing the notification you must tell the ICO: what happened; how many people were likely affected; the likely consequences; and the measures you’re planning to take or are taking to rectify the situation. You must also inform every data subject about the breach.

If there’s no risk, you don’t have to tell the ICO, but you still need to keep a record of the breach, as well as any breaches that you have made the ICO aware of.

You are advised to ensure you have processes in place with absolute clarity about who does what if this happens as you only have 72 hours to get everything right. The relevant staff will need to know what to do and who to tell if there is a breach in your organisation.

GDPR for Employers Employee Rights

GDPR for Employers: Rights of employees as data subjects

Under the GDPR, employees have the right:

  1. to relevant information regarding data processing for employees and job applicants;
  2. to access their own personal data;
  3. to correct their personal data;
  4. to erase personal data (right to be forgotten);
  5. to restrict data processing;
  6. to object to data processing;
  7. to receive a copy of their personal data or to request their personal data is transferred to another data controller;
  8. to not be subjected to automated decision making; and
  9. to be notified of a data security breach.

1. Right to information for employees and job applicants

Under the GDPR, employers are required to provide detailed information to employees and job applicants about the processing of their personal data. The information must provide:

  • the identity and contact details of the employer as a data controller;
  • the data protection officer’s (DPO) contact details (if the organisation has a DPO);
  • the purposes for which the data will be processed and the legal bases for processing, including, if relevant, the legitimate interests relied on;
  • the categories of personal data to be processed;
  • the recipients of the data;
  • any transfer of the data outside the European Economic Area (EEA);
  • the period of storage;
  • the rights of data subjects, including the right to access, rectify and require erasure of data, the ability to withdraw consent or to object to processing, and the right to lodge a complaint with the supervisory authority;
  • the consequences for the data subject of failing to provide data necessary to enter into a contract; and
  • the existence of any automated decision-making and profiling, and the consequences for the data subject.

Employers must provide the information at the point of data collection. Where an employer wishes to process existing data for a new purpose, it must inform employees or job applicants of that further processing.

2. Right to access their own personal data

Under the GDPR, you need to provide information in relation to: the storage of the data; details of the employees’ rights to object to the storage of the data or to rectify the data; their right to complain to the ICO; and the safeguards you have in place to protect their data if it is transferred outside the EU.

Under the GDPR you have to comply with a data subject access request ithout undue delay and in any event within one month.

You’re advised to make sure your processes can comply with this requirement. This may involve updating processes internally and ensuring relevant employees have the training needed so that they can comply. You can get an extension of an additional 2 months if requests are complex or onerous.

You can also no longer charge a fee if an employee makes a request to access their personal data.

The ICO do say that if the request is manifestly unfounded or excessive, you can charge a reasonable fee in relation to administrative costs. They also say that you could refuse the request in these circumstances (if you do this, you must tell the employee of their right to complain to the ICO at the same time).

However, the ICO have said these provisions will only apply in the most extreme cases, they can’t be used to evade your obligations. The example provided by the ICO is one that “repeats the substance of a previous request”.

Also, if the personal data being requested is legally privileged, you may not have to respond.

Note that under the GDPR it is an offence to change or conceal information instead of responding to a subject access request.

3. Right to correct personal data

Employees now have the right to request that data that is incorrect or incomplete is rectified. Again, compliance should be within one month. If you’ve disclosed the data to one or more third parties, you have to inform them about the correction and tell the employee which third parties you have disclosed incorrect data to.

4. Right to be forgotten

Sometimes referred to as right to erasure. This right can be exercised by the employee if:

  • the data processing is no longer necessary for the purposes for which it was collected or processed;
  • the data has been unlawfully processed (e.g. you relied on consent that hasn’t met the conditions required to process the data or you’ve sent a defective privacy notice or policy that hasn’t set out the correct information); or
  • the processing relies on the legitimate interest condition and the employee objects and you can’t prove you have legitimate grounds for continuing.

To comply with this right, you might have to update your IT systems to ensure you can easily delete relevant information if you’re asked to do so. Also, ensure staff know what they have to do in these circumstances through guidance and training.

5. Right to restrict or object to processing

Employees have the right to restrict or block the processing of their personal data in certain circumstances. These are where:

  •  it’s unlawful;
  • they can test the data’s accuracy; or
  • you relied on the legitimate interest condition and the employee says his or her rights override yours (an example of where this could happen is in disciplinary proceedings where you may have undertaken a covert investigation – the employee may argue his right to privacy overrides your legitimate interests).

When processing is restricted, you can store it but not process it any further than that. Ensure relevant staff know about these changes and that your systems are able to restrict the data if this happens.

6. Data portability

Employees can now ask you to share their personal data to a third party (for example their bank or an estate agent). This should be done without delay, with no financial charge and usually within one month.

7. Automated decision making

The GDPR has provisions on automated decision making and profiling. This relates to a decision that has been made without human involvement, usually based on pre-programmed criteria and algorithms. Automated decision making does not have to involve profiling, but often does.

Profiling is used by organisations to predict aspects of a person’s behaviour, preferences, and/or make decisions about them, by evaluating the traits of others who appear similar.

There are extra restrictions on automated decision making or profiling that has ‘legal or similarly significant effects’. Under the GDPR this type of processing can only be carried out where the decision is necessary for the entry into or performance of a contract; or authorised by Union or Member state law applicable to the controller (i.e. for the purposes of fraud or tax evasion); or based on the individual’s explicit consent.

Because this kind of processing is considered high-risk, the GDPR requires you to complete a Data Protection Impact Assessment, to show that you have identified and assessed what those risks are and how you will address them.

In such cases, you must:

  • inform individuals about the processing;
  • introduce an easy way for them to request human intervention;
  • allow them to voice their opinion and challenge the decision and request a review of the decision; and
  • carry out regular checks to make sure that your systems are working as intended.

When handling personal data, always make sure you have considered the data protection principles and have lawful grounds of processing.

8. Notification of a data security breach

If there is a personal data security breach that threatens the rights and freedoms of an individual, you need to inform the affected individual as well as informing the ICO as per the requirements outlined previously. You should inform the individual about what sort of data is at risk, the steps you have taken or are taking to resolve the breach, any steps they could take, and who to contact for support.

Data Protection by design

GDPR for Employers: Data Protection by Design and Default

Data protection by design and default is a new approach to data that will require organisations to embed privacy considerations in both operational and strategic HR.

Data protection by design requires employers to take data protection risks into account throughout the process of designing and operating a policy, process, product or service. This means assessing and implementing appropriate and proportionate technical and organisational measures and procedures from the outset to ensure that processing complies with the GDPR.

Data protection by default requires employers to put mechanisms in place within their organisation to ensure that only personal data necessary for each specific purpose is processed. This includes ensuring that:

  • only the minimum amount of personal data is collected and processed for a specific purpose;
  • the extent of processing is limited to that necessary for each purpose;
  • personal data is stored for no longer than necessary; and
  • access to the data is restricted to that necessary for each purpose.

By Design

To minimise complications and to ease compliance, the GDPR requires you to have systems to deal with data requests. Data needs to be stored in commonly used and machine-readable form so that it can be portable to respond to data access requests. Individuals could ask to have copies or information on their data, so creating systems which are user friendly and clear for a data officer to access will aid your ability to comply with changes.

For example, the GDPR suggests appointing a Data Protection Officer for companies which process a large amount of data, to cope with the volume of requests, monitor the organisation’s data practice and report to board level management on breaches, as well as the ICO.

If you are a smaller company, we recommend you allocate this responsibility to a staff member and make sure that they are aware of the implications of the GDPR and are prepared for the changes.

By Default

By processing only necessary data you will minimise the amount of data you have to keep track of, and therefore aid compliance by default.

Your GDPR for Employers audit

1. Is someone in your organisation responsible for your employees’ data?

Someone in the business needs to make sure all necessary processes are in place in relation to how you collect and use your employees’ personal data and who’s responsible for each stage to ensure compliance. This person should have read the ICO guidance as a minimum.

2. Undertake regular data audits

Your audits should identify what personal data you control and/or process. Consider: where does it go; what is done with it; how is it collected; and what happens to it after you’ve collected it? For example: is it disposed of after a decision has been made; where is information stored; how and when will the data be disposed of? How are you able to detect if there has been data security breach.

Consider if it’s used or just stored. For example, with an employee’s sickness record, you may have data recording how often an employee is absent on sick leave. You may keep this data to pay sick pay or to monitor unacceptable sickness levels. Or are you not doing anything with it, does it just sit on the employee’s file? How long do you keep the data? Do you need to keep it for that long? You should go through this thought process for each and every category of data that you hold.

Consider also, is the reason you collected the data in the first-place still relevant now?

What reasons do you rely on to process the data. Remember the six main grounds for lawfully processing data.

Consider whether you need to make changes to which personal data you process. For example, could some data be processed so that you can’t tell from processing it which person it relates to. For example, if you’re processing data for research or statistics then you could probably anonymise it (e.g. equal opportunities or diversity monitoring).

5. Review the security of your data.

Passwords should be changed regularly and only shared with relevant people. Encrypt data wherever possible, particularly when employees and workers are working remotely. Do your employees use their own smart phones or laptops that personal data may be stored on.

IT and data protection policies should be regularly reviewed to ensure data is protected and kept secure. Remember to keep records to prove you’re compliant as the ICO can ask to look at those records at any time.

6. Review your employment contracts and policies.

Blanket consent to process data in an employment contract is no longer sufficient.  Update policies and employee handbooks where necessary.

If you allow homeworking, your homeworking policy should take account of data protection legislation and potential breaches. Action you may wish to consider includes requiring the encryption of data and banning the use of memory sticks outside the office.

7. Review your disciplinary procedure and make sure that any data breaches are a disciplinary offence (serious breaches should be identified as gross misconduct).

8. Monitoring policies (such as IT, communications, CCTV) also need to be checked.

9. Review your company-wide data protection and security policy and a data retention policy.

10. Update guidance for managers and staff who have responsibility for data protection.

The guidance should tell them what they need to do to comply with the GDPR and include clear processes to follow if they become aware of a security breach. You can download a template GDRP Guidance for Managers document below.

GDPR for employers

GDPR Guidance for Managers

If you haven’t already done so, we also recommend introducing a form, or online checkbox for managers to say they understand and have complied with the new data protection policies and guidance.

This will also show evidence of your compliance if requested. You may also want to consider training for relevant staff and managers. 

11. Review and update your external contracts and processes.

Where you share personal data with third party providers, any contracts with these data processors must clearly set out the data protection obligations and the contractual consequences of any breach. This could include contracts with benefit providers, occupational health and your HR provider.

Internal processes should be clear so that third parties are told of changes in personal data as necessary. You will need to be ready to share data with third parties if required so an employee’s personal data should be available in an easy to read format.

12. Identify who has overall responsibility for data protection compliance in your business.

Do you need a Data Protection Officer? If not, do you have someone who takes responsibility for it.

13. Review your recruitment data protection.

If you store CVs for candidates who have applied to work for you, you will need to have evidence of active consent to hold their data. If you don’t have this, we recommend either deleting the data or contacting the individuals to ask for a positive opt in to consent to your processing of their data.

14. Maintain compliance.

Continue to maintain compliance. An annual audit of how you are processing personal data is recommended as well as more regular spot checks in high risk areas. Remind your staff that if the reason for processing data changes then an employee should be told of that.

If you’re responsible for data protection for your company or just for the control and processing of your employees’ data, you’ll need to keep up with the ICO.

GDPR for employers definition glossary

GDPR for Employers Terminology Summarised

A glossary covering some of the terms of the GDPR for Employers

Lawful basis of data processing

The need to have a valid lawful reason to process personal data. This could be consent, a legitimate interest or contractual necessity.

Consent is what you request from an individual to access their personal data. It must be freely and willingly given, explicit and require a positive action to opt in. To get explicit consent, you need a clear and specific statement from a data subject that agrees to you processing their data.

Legitimate interest

Legitimate interest is a valid alternative to consent as a lawful basis for processing— but not for special categories of data. It will not be valid if it harms the rights, interests or freedoms of the individual. You should explain and record your legitimate interest in your GDPR file.

Contractual necessity

The need to process data for an employment contract. It might apply to client agreements and candidate agreements where you have them.

Data subject

The data subject is the living person whose personal data is processed by a data controller or data processor; an individual who is the subject of the data.

Personal data

Information that relates to a person/data subject, and can identify them directly or indirectly. For example a name, ID number, IP address or health information.

Personal data breach

The breach of security that leads to:

  • Access of personal data.
  • Unlawful destruction of personal data.
  • Loss of personal data.
  • Change of personal data.
  • Unauthorised disclosure of personal data.

Data controller

A person who (either alone, jointly or alongside other people) makes decisions about how to process the personal data they collect and what to do with it. If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

Data processor

A natural or legal person (excluding the data controller’s employees) who processes data on behalf of the data controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

Data protection officer (DPO)

A person a company will appoint to be their data expert. They are responsible for making sure a company is GDPR compliant.

Data processing

Data processing is when a company gets, records or holds information or data. It can also refer to the carrying out of an operation or set of operations on the information or data. This includes data access, storage, retrieval, disclosure and deletion (also called erasure).

Profiling

Profiling is the automated processing of personal data that a company uses to analyse and predict the behaviour of data subjects.

Right to be informed

A data subject has the right to know how a company will process their personal data. Any information a company gives to the data subject must be concise, clear, understandable and easily accessible. It should also be written in clear, plain language and be free of charge.

Right to access (Subject access right)

A data subject has the right to have complete access to the personal data that a data controller has about them.

Right to be forgotten (Data erasure)

A data subject has the right to have a data controller delete all their personal data.

Right to rectification

A data subject has the right to ask a company to change their personal data if it’s inaccurate or incomplete.

Right to restrict processing

A data subject has the right to suppress or block a company from processing their personal data.

Right to object

A data subject has the right to object to the processing of their information.

They can object to:

  • Processing based on authentic interests or the performance of a task in the public interest/use of official authority.
  • Direct marketing.
  • Processing for purposes of research and statistics.

How we can help

If you need support with anything GDPR related, our team of HR experts would be happy to help. Contact us on 0330 223 5253 or office@fitzgeraldhr.co.uk.

GDPR Guidance for Managers

GDPR for employers

Looking for an Outsourced Human Resources Services Company?

Let's have a friendly chat to see how we can help

Get a free consultation

or

Give us a call (0330 223 5253)

Want HR insights delivered straight to your inbox?

Fitzgerald Logo

Fitzgerald is a full-service HR Consultancy. We help our clients create brilliant places to work so they can attract recruit, manage, develop, and retain, great people.

HR Consultancy Services

HR Outsourcing Solutions

HR Guides and Resources

Company Information

Locations

Fitzgerald-HR-People-Culture-Logo