The General Data Protection Regulation (GDPR) is now law. In broad terms, it is an enhancement of individual rights under the Data Protection Act 1998. Many of us will have received data privacy notices from organisations that hold information about us. In an employment context, employers should be sending staff similarly worded privacy notices which set out how employee data is collected and used by them.
Part of the employee data privacy notice will need to deal with how an employer shares employee data with third parties. We are often asked whether it is necessary for an employer to have something in writing between themselves and those third parties?
The answer is yes. The GDPR requires that any processing of employee data by a third party must be governed by a 'contract in writing' between the employer (known as the data controller) and that third party (known as a data processor). The contract needs to contain specific information required under the GDPR.
Whilst it is an additional obligation on an employer, the reality is that there may already be a contract in place between the parties which satisfies the requirements of the GDPR. In addition if that third party, in turn, sub contracts data processing to another organisation, there is a requirement to have a written data processing agreement in place between them as well. The aim, it seems, is to encourage accountability and security in the processing of individual data among data processors.
Employers should seek advice if they are unsure. The ICO has provided useful guidance on GDPR which can be found here.
If you would like more information on our Law Hub for SME's, follow this link.
The Guide to the General Data Protection Regulation (GDPR) explains the provisions of the GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection