29th March 2018

HR Issues – GDPR Guidance Note 1 – HR and Employee Documents


Under Article 25 (data protection by design and default) of the General Data Protection Regulation (GDPR) it is recommended that relevant policies and procedures are updated.  Accordingly please find listed below the HR documents we suggest you need to review to ensure readiness for GDPR compliance.  You will also need to notify employees of any changes to contract / handbook / policies and procedures.

Organisations which are GDPR compliant are more likely to generate trust from their key stakeholders when processing their personal data, resulting in a competitive advantage.

Privacy and Fair Processing Notices

The Information Commissioner’s Office (ICO) states: “Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Act 1998 (DPA) and the EU GDPR. The most common way to provide this information is in a privacy notice”.  They go on to state that in many situations where organisations obtain personal data as part of a simple transaction it should be straightforward to use the key recommendations in their Privacy, Transparency and Control code of practice to develop a clear and effective privacy notice.

However, in other situations it will not be effective to use a single document to inform individuals about what you do with personal data. The ICO like a “blended approach” to present information about personal data and you should consider if you have separate Fair Processing Notices which typically were incorporated into Privacy Notices. If you have these documents in place you could then consider inserting on the bottom of HR forms:

“This document will be processed in accordance with the data protection legislation, further details can be found in the Fair Processing Notice for employees which can be found [state where e.g. intranet]”.

Below we highlight typical employee documents and guidance notes. Each organisation will be different and some of the documents may be found within another policy or procedure.  The key will be to ensure any HR document meets the requirements of the GDPR principles and also reflects the rights of data subjects.

Before commencing your policy and procedure review we advise you consider your GDPR policy structure and whether you are going to have a Privacy Policy, Fair Processing Notice and Data Protection Policy and the purpose / content of each.

Document Guidance Notes
Employment contract and employment handbook

Typically employers rely upon a “blanket” clause about data protection, possibly a tick box against a data protection clause.  From 25th May 2018 within the employment relationship it is best that only in exceptional situations (eg consent to obtain a medical report) you rely upon consent. In the employment relationship consent is rarely freely given as the employer normally has a greater bargaining power.

Some organisations may decide to be silent in the contract but issue a privacy notice or fair processing notice for employees as a separate document.  Our advice it is best to have it as a statement within the contract and then provide an expanded privacy notice. The reason to have a statement within the contract is to remind employees of their duties in relation to data protection.  On relevant employment forms you may wish to refer to the appropriate privacy notice/fair processing notice too.

Clients have asked whether it is necessary to issue updated contracts to existing employees.  Obviously, this is an organisational decision but given the contract was correct at the time of issue it is fine to continue with the current contract but to update when you process other changes (and certainly update for any new contract issued after 25th May 2018).  We advise that as part of your employee awareness communication an email is sent to all employees notifying them of the change and refer to the privacy notice/employee fair processing notice.

Policies & procedures
Data Protection Policy (including Subject Access Request)

This policy will typically cover more than just employees but HR should check that:

a) The Subject Access Request timescales have been updated to one month (in very exceptional circumstances this can be extended to a further two months).

b) The cost for Subject Access Request is removed (again in very exceptional circumstances a charge can be made e.g. multiple copies).

c) The principles and data subject rights should be reflected and any new / revised changes added e.g. right to request data transferred to another system (data portability); right to be forgotten – can request data to be permanently deleted.

d) Employees are told that they will be notified if their personal data is transferred outside of the EU.

e) If applicable to your organisation, biometric and genetic data is added to any sensitive data list.

f) The details of your Data Protection Officer (DPO) are added especially if you are legally required under GDPR to have a DPO.

g) Update the policy to reflect the 72 hours required to notify the ICO if there is a data breach that falls within the set criteria.  You also need to let the employees know the contact person as soon as they become aware of a data breach.

h) You make clear any organisational and technical measures that are in place including, any additional requirements you expect from employees e.g. clean desk policy; not saving to desktop, locking computers, taking care of personal data in transit etc.

i) You remove any reference to the “Data Protection Act 1998”.  We expect this Act to be updated before 25th May 2018 and therefore, if you are updating now a more generic reference to “data protection legislation” may be more appropriate given that there will be two pieces of relevant legislation (GDPR and DPA).

Recruitment Policy

Consider producing a candidate privacy notice explaining the purpose of collection of data and update any retention policy re recruitment records if necessary. If you use an external third party as part of the recruitment and selection process, whereby personal data is shared, you will need to let the applicants know they type of organisation you use e.g. recruitment agency.

If you have any automated decision making in any of your HR processes such as: recruitment (e.g. automated rejection and short listing) or in any other HR process (e.g. sickness absence; attendance bonuses; shift and holiday rostering; employee monitoring or triggers for disciplinary action) then depending upon the legal basis for automated decision making, data subjects have the right to object to the processing of their data in this way. The same applies to any profiling that you may carry out such as recording and analysing the type of flexible benefits accessed by your employees.

If the automated decision making or profiling significantly affects the data subject you may only be able to process their data after having obtained explicit consent from the data subject.  In addition, the systemic use of automated decision making and profiling will require a prior Data Protection Impact Assessment.

Our advice is to review any automated profiling and decision making, ensuring that there is human intervention within the process.

Once recruited if the employee’s data is held on a HR system which is provided by another company you need to consider linking to their respective privacy policy.

Similarly, if you work with other organisations to provide benefits then you need to consider doing the same. You should consider with any of your third parties whether the data you send to them could be anonymised or “pseudonymised”.

If you receive CVs these may contain more personal data than you require.  You should consider providing guidelines of the type of information you expect to see on the CV and information you do not require for instance, date of birth.

Promotions / Secondments Policy

We advise that if you do not refer to the privacy notice that you make clear the purpose of collecting promotion and secondment data; the retention period and also the lawful reasons for processing. Consideration may need to be given to a data sharing agreement if other organisations are involved in secondments.

Disciplinary & Grievance Policy

Consider whether you need to update your list of examples of gross misconduct to reflect data breaches.

Attendance Policy

Consent to obtain a medical report may need updating to ensure it is freely given, specific, informed and unambiguous and affirmative.  If they refuse consent you need to ensure any acquired data is erased.

You may need to review your occupational health form to refer to your privacy notice / fair processing notice or if not insert all information you would expect to see in these documents e.g. purpose; data sharing; retention; lawful reason for processing.

Some clients are removing the name and address of employee’s GP from their absence forms on the basis that if an occupational health report is required the GP details will be obtained at this later stage.

Criminal Checks Procedure

We advise you review your criminal checks procedure to ensure you still comply with the principles of the GDPR in relation to the processing of the criminal records data, and also your policies on erasure and retention of this data.

Providing References Procedure

We advise that if you do not refer to the privacy / fair processing notice that you make clear the purpose of collecting this data; retention period; lawful reasons for processing and if the data is shared with others for both successful / unsuccessful candidates.

Training Procedure

We advise that if you do not refer to the privacy / fair processing notice that you make clear the purpose for collecting this data; retention period and lawful reasons for processing. If dealing with third parties e.g. training bodies, ensure data sharing agreements are in place, if appropriate.

Other HR key documentation
Equalities, diversity and inclusivity monitoring form

We advise that if you do not refer to the privacy / fair processing notice that you make clear the purpose of collecting this data; retention period; lawful reasons for processing and if the data is shared with others for both successful / unsuccessful candidates.

Death in service benefit/pension documents

You need to consider if you have made clear in the privacy/fair processing policy who you share personal data with and may include other third parties such as: pension provider; insurance company; external payroll bureau and legal advisors.

Employment application form

Remove any consent requests.  Ensure you are only asking for the minimal information necessary and also consider at what stage you request that information – it may be more appropriate to collect at a later stage in the selection process.

Emergency contact form

We advise that if you do not refer to the privacy / fair processing notice that you make clear the purpose of collecting this data; retention period; lawful reasons for processing and if the data is shared with others.

Any other documents particularly those that deal with special categories of data

We advise that if you do not refer to the privacy / fair processing notice that you make clear the purpose of collecting this data; retention period; lawful reasons for processing and if the data is shared with others.


If any personal data in the above HR processes transfers outside of the EU you will need to let the employees know.

If you are not relying upon consent then you need to be clear on the lawful reason for processing data and as identified in your data map. For instance, it may be “necessary for the performance of a contract” or for “compliance with a legal obligation” or for the purpose of “legitimate interests”.

Next steps

This is legislation that has not come into force yet and its practical application is still evolving.  Therefore, if you would like to share other HR documents you have reviewed please let us know so that we can add to subsequent newsletter articles on GDPR.

Even if you don’t think you will be ready for 25th May 2018 we have been informed that the ICO will look more favourably on those that are on their GDPR road path.

Each organisation is different and due to the nature of the new legislation, it is impractical to produce a pack of documents but we hope you find the above a helpful resource.  Please feel free to share and, if your colleagues are not signed up for our newsletter for further updates they may want consider opting in to our mailing list.

If you need support in preparing for GDPR compliance please contact us.

29th March 2018