General Data Protection Regulation: resource round-up

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 place strict duties on employers in relation to the processing of personal data. Below, we list our UK GDPR-compliant model Policies and procedures as well as our other UK GDPR resources.

UK GDPR-compliant Policies and procedures

HR-related personal data

• Data protection policy
• Processing special category personal data and criminal records data policy
• Register of HR-related personal data
• Data protection impact assessment form

Privacy notices

• Employee privacy notice
• Worker privacy notice
• Contractor privacy notice
• Job applicant privacy notice

Consent

• Form for individual to provide explicit consent to processing of personal data

Subject access requests

• Form for individual to make subject access request
• Letter responding to subject access request providing requested information
• Letter responding to subject access request asking for more information
• Letter extending time to respond to subject access request
• Letter refusing subject access request or asking for administrative fee
• Register of subject access requests

Rectification of personal data

• Form for individual to request rectification of incorrect or incomplete personal data
• Letter informing individual that incorrect or incomplete personal data has been rectified
• Letter asking for more information on request for rectification of incorrect or incomplete personal data
• Letter extending time to respond to request for rectification of incorrect or incomplete personal data
• Letter refusing request for rectification of incorrect or incomplete personal data or asking for administrative fee

Erasure of personal data

• Form for individual to request erasure of personal data
• Letter informing individual that personal data has been erased
• Letter asking for more information on request for erasure of personal data
• Letter extending time to respond to request for erasure of personal data
• Letter refusing request for erasure of personal data or asking for administrative fee

Other UK GDPR resources

The basics

• What is the UK General Data Protection Regulation (UK GDPR)?
• Does the UK GDPR apply to small employers?
• What information must employers supply to employees about the processing of their personal data under the UK GDPR?
• Which employers are required to appoint a Data Protection Officer under the UK GDPR?
• What is the effect of Brexit on the application of the General Data Protection Regulation to the UK?
• What happens if an employer fails to comply with the UK GDPR?
• Employment law guide: Data protection

The legal grounds for processing data

• When can employers rely on employees' consent to process their data under the UK GDPR?
• What legal grounds are there for processing personal data under the UK GDPR?
• How to review your organisation's compliance with the UK GDPR
• How to conduct an audit of HR personal data for the UK GDPR

Processing activities

• What is personal data under the UK GDPR?
• Can employers carry out criminal records checks under the UK GDPR?
• Can employers gather and analyse information for equality monitoring purposes under the UK GDPR?
• Should employers ask job applicants for consent to process their data under the UK GDPR?
• What are an employer's obligations under the UK GDPR in relation to emails containing personal data?
• How does the UK GDPR affect the processing and retention of recruitment data by employers?
• What restrictions does the UK GDPR place on employers transferring employee data outside the European Economic Area?
• How to determine the legal grounds for processing employee data under the UK GDPR

Third-party processing

• What are an employer's obligations under the UK GDPR if it contracts with a third-party provider to process its employee data?
• Can an employer share HR-related data with an external supplier of HR services without the consent of the employees?

Data retention and erasure

• Does the UK GDPR affect for how long employers can keep data relating to former employees?
• What is the right to be forgotten under the UK GDPR?
• How can employers balance employees' right to be forgotten under the UK GDPR with the need to keep HR records?
• How to manage the retention of employee data under the UK GDPR

Subject access rights

• What data subject access rights do employees have under the UK GDPR?
• How to respond to subject access requests from employees under the UK GDPR

Special categories of personal data

• What are an employer's obligations under the UK GDPR in relation to the processing of special categories of personal data?
• How to obtain and use medical reports on employees