Data Protection at Work (GDPR)

Data Protection at Work (GDPR)


Recent and forthcoming changes in this topic area

July 2019

As part of a refresh of GDPR guidance in light of new ICO publications, the example data protection policy (available in templates and tools) has been updated with a revised section 5.1 (and consequent renumbering in the rest of the section).


May 2019

We have recently updated the template workforce privacy notices and introduced a new example policy covering the processing of special category and criminal records data. Further information about both these changes can be found on the 'templates and tools' page.

What is the GDPR?

In January 2012, the European Commission announced its intention to reform data protection rules. The Commission proposed that the existing Directive would be replaced by a Regulation, binding on every member state. Since the implementation date of 25th May 2018 fell prior to the date the UK will exit the EU all UK organisations and all foreign companies processing the data of EU residents must be compliant with the General Data Protection Regulation (GDPR) from this date.

The UK government published the Data Protection Bill in September 2017 and this received Royal Assent as the Data Protection Act 2018. The Act should be read in conjunction with the GDPR and contains additional provisions relating to, amongst other things, special categories of data, criminal convictions and offences and subject access requests.


What about HR data?

Data protection law, including the GDPR, covers the processing of 'personal data' which means any information relating to an identifiable person. Schools and other education establishments will be processing personal data relating to staff, but also to others, such as pupils/students. The information available here is focussed predominantly on the HR and employment implications of GDPR and ensuring compliance in this particular area.


What should I be doing to ensure that our HR data processing is compliant with the GDPR?

GDPR implementation did not end on 25th May 2018. For many schools and other education establishments, compliance efforts will be ongoing for many months and - of course - compliance is not a one-off exercise in any event. Many of the changes brought in by the GDPR are about ensuring organisations incorporate data protection principles into day-to-day processes and practices so that considering the implications for personal data becomes the norm.

If you are still working through the process of ensuring your school/college is compliant, here are some of the steps we suggest taking in respect of your HR data:

  • Audit your HR data - what do you keep, why, where and for how long? Who has access to it? You can use our HR data audit template and guidance to support you with this process.
  • Use your HR data audit to identify any areas of non-compliance which will need to be addressed. Create an action plan. We have a template to help.
  • Prepare and issue revised privacy notices to give to your workforce. We have produced templates, based on the DfE model, to help you with this.
  • Update your application forms to ensure that job applicants understand how their data will be used. We have produced a template privacy notice for job applicants and revised the wording in our own template application forms which you may wish to use.
  • Establish a data protection officer for your school/college or trust. You can use our guidance to find out more about the role of the DPO and refer to our example job description and person specification.
  • Ensure you have a process for responding to individuals' requests to access or correct their personal data, object to their data being processed, restrict the processing of their personal data or transfer their data. We have developed a data protection policy which covers these rights as well as resources to support with handling subject access requests.
  • Ensure you have a process to identify, report, manage and resolve any personal data breaches, including in relation to staff data. We have developed guidance on breach reporting.
  • Consider how you will ensure personal data you hold on staff will remain accurate and up-to-date - do you already undertake regular audits? How will you ensure this process happens?
  • Consider any of your policies or practices that may have data protection implications. Are personnel files held securely with restricted access, for example? Do you regularly dispose of the contents when they are no longer needed?
  • Consider how you will raise awareness of GDPR amongst staff. Do you need to offer some awareness training, particularly for those that process data as part of their role? 


What resources are available?

In our guidance and information section you can find an overview guidance document on GDPR as a whole, as well as more specific guidance on conducting an HR data audit, the role of the data protection officer, data retention periods for HR data, breach reporting and on handling subject access requests.

In our templates and tools you can find a template for conducting an HR data audit, workforce and job applicant privacy notices, a template HR data retention schedule, an example data protection policy and an example job description and person specification for a data protection officer. There are also links to updated HR policy templates and a range of resources for responding to subject access requests.

To browse more content in this section you will need to log in. If you’re not an existing customer why not register and sign up for a 7-day free trial? Annual subscriptions are available from just £499+VAT