GDPR: Key Questions About Employee Information Notices Answered

​The General Data Protection Regulation (GDPR) comes into force on May 25. From an HR perspective, it imposes data obligations on any employer with EU-based staff. Failure to comply with the GDPR regime can result in significant fines and disruption to your business. Are you ready?Our article provides questions and answers about privacy notices aimed at staff. The GDPR requires employers to give information to their workforce, setting out in particular the personal data (employee information) the employer holds about them, how it is used and with whom the information is shared.Q: We already give staff a privacy notice under existing data protection laws. Is that enough?A: No. The GDPR imposes new requirements on employers. Employers must give more detailed information than is currently required under existing EU data protection laws. Employers also need to ensure that their privacy notices accurately reflect their workforce data processing activities.Q: Our privacy notice is very long and complex. Is that a problem?A: Yes. You should make sure that your privacy notices are concise, understandable, accessible and use clear and plain language. It can be hard to reconcile this with the obligation mentioned above about giving detailed information. One way of doing this is to adopt a layered approach—that is, you can have a short privacy notice setting out just the key privacy information with links to more detailed information elsewhere for those who want it. Another way is to have a different privacy notice for each type of data subject. For staff, you can present the information in a Q&A format.Q: How should I deliver privacy notices to my workforce?A: Employers can deliver privacy notices to their staff in whatever ways are most appropriate. For example, the privacy notice could be included with staff payslips, hand-delivered at a meeting with acknowledgement of receipt or communicated electronically via the company intranet or by e-mail. We would not generally recommend simply posting on noticeboards in a public area as this may not sufficiently document that the information has been provided to all of the workforce. A blended approach may well be necessary to ensure that privacy notices are seen by all staff, some of whom, for example, may not have easy access to e-mails.Q: Can I use one privacy notice for all the different categories of staff in my business?A: You should consider whether it is appropriate to have different, tailored privacy notices for different types of individual in your business. This will help you comply with the requirement that privacy notices should be concise. It would be good practice, for example, to consider having one privacy notice for your employees, workers and consultants, and a separate shorter privacy notice for recruitment candidates, where an employer typically processes more limited categories of information.Q: Last but not least, what information do I need to give to my staff?A: Article 13 of the GDPR requires that various types of information be given to data subjects (employees and other staff), including the following:The employer's name and contact details, and the Data Protection Officer's contact details (if applicable).The purposes and legal basis of processing.The categories of personal data concerned.The recipients of staff personal data and, if such data is transferred outside the European Economic Area, the protective measures to safeguard such transfers.Retention periods for such data.Details of data subject rights (including, among other things, rights to correct and access their information and ask for it to be erased).The right to lodge a complaint with a data protection authority.Sarah Delon-Bouquet is an attorney with Bryan Cave Leighton Paisner in Paris. Adam Turner is an attorney with Berwin Leighton Paisner in London. © 2018 Bryan Cave. All rights reserved. Reposted with permission of Lexology.