This is the third instalment of our GDPR for HR FAQs series of mini blogs. In this blog, we consider whether organisations should update their employee handbooks.
Our frequently given response:
There’s no requirement in GDPR that employee handbooks include policies relating to data protection, nor that existing policies are updated to reflect the changes introduced by GDPR.
However, it makes sense both to provide data protection policies to your employees and to ensure they reflect the provisions of GDPR.
Many existing employee handbooks include provisions that were drafted under the Data Protection Act 1998 and include out of date references to legislation, as well as references to the 8 key principles of the Data Protection Act 1998, which have now been replaced with 6 key principles under GDPR. They may also remind employees of their right to make a subject access request, referring to the requirement to pay £10 and the 40 day timescale to respond. Under GDPR, organisations must respond to a subject access request within one month and are not entitled to charge a fee.
It’s therefore worth reviewing your handbooks and policies to check whether they need to be updated. It’s also a good opportunity to consider the requirements you place on employees in the handbook and in their policies: are there security requirements you would like them to comply with (such as encryption of devices, password protection, caution around using instant messaging etc.)?; would you like employees to regularly purge their emails to assist your organisation with GDR compliance?; do employees know what to do if they receive a subject access request on behalf of the organisation; are employees aware of the new requirements around breach notification and do they know who to speak to if they think they have breached or may have breached GDPR?
All of these issues can be dealt with in your employee handbook or policies. They will not only provide comfort to you that your employees should be acting in a way that assists your organisation’s compliance with GDPR but they will also provide useful evidence that you have communicated appropriate requirements to your employees.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.