By Shane Fuller, Lead Privacy Advisor at MetaCompliance and Co-Author of the official ‘GDPR for Dummies’
It’s our experience that a large proportion of organisations are overlooking the need to develop and distribute employee focused privacy notices as part of their GDPR compliance efforts. Organisations have the misconception that they can include a generic statement regarding the organisations use of employees’ data in an employment contract and job done!!!
The reality is very different. Under the GDPR, data subjects (including employees) are entitled to receive a lot more information than under the current law about their data and how it’s handled.
The information that employees are entitled to includes:
- the purpose and legal basis for processing
- who has access to it and why they have access to it
- the rights that they have over it (e.g. rights of access, rectification, erasure or blocking)
- how it is being protected
- how long it is retained
- to where it is being transferred
- their ability to withdraw consent
- the fact that they can lodge a complaint with a Supervisory Authority
This information needs to be spelt out in an easy-to-read privacy notice that is made readily accessible to your employees. From a GDPR perspective, being transparent is a fundamental part of fair processing.
An area worth specific consideration in relation to employee privacy notifications is the monitoring of web, email and other electronic messaging technologies (e.g. Instant Messaging tools). Notifications in this regard should cover why monitoring is needed (e.g. to prevent theft or improper use of data), the circumstances in which it is carried out (e.g. non-personal use of online services), as well as possibilities for employees to prevent their data being captured by monitoring technologies.
In addition to being transparent with your employees, you must ensure that employees are aware of their own responsibility to process personal data properly and the consequences of breach. Relevant policies should be updated to ensure that they adequately address the issue of employee accountability. Likewise, Privacy Notices need to be kept under review to ensure they accurately capture any new types of data collected or any additional or different processing of such data.
To assist you in preparing your Employee Privacy Notice we have put together an Employee Privacy Notice template covering the items discussed above. If you would like to receive a copy of the template, contact us at: firstname.lastname@example.org
About the author
Shane Fuller is a seasoned Data Privacy Consultant and Advisor with over 15 years hands-on experience in the fields of data privacy and information protection. Shane works as Lead Privacy Advisor to MetaCompliance, the global provider of staff awareness, policy governance and risk management, in the areas of privacy, cybersecurity and compliance. He has a vast array of knowledge built up through working with organisations and vendors globally and focussing on financial services and other highly regulated industries.
Shane has numerous privacy and information security accreditations and certifications including IAPP’s Fellow of Information Privacy (FIP) designation which recognises those with an extensive knowledge of privacy laws, privacy program management and data protection practices.
Shane is also the co-author of the official ‘GDPR for Dummies’ guide that has been showcased across Europe via the GDPR for Dummies Roadshow.
Founded in 2005, Metacompliance is a global leader in the human aspect of cyber security and privacy compliance. Its innovative cloud platform provides a one-stop-shop management solution for staff awareness and compliance.
The MetaCompliance product range combines eLearning, phishing, GDPR, and policy management with cloud based software to easily implement a range of learning and training.
MetaCompliance addresses specific business challenges that arise from corporate governance and cyber threats as they evolve through compliance legislation and hacker sophistication.
For more information on MetaCompliance, visit www.metacompliance.com
Come and meet MetaCompliance at stand J100 at Infosecurity Europe, June 5-7th, Olympia, London.