09 April 2021
How can startups comply with employee privacy and confidentiality laws?
Your employer obligations
When you take on employees, inevitably you will end up processing their personal data. From their name and addresses, to the bank account details you use to pay them, to their performance reviews, to their disciplinary record – all of it is personal data.
This means that under the Data Protection Act 2018 and UK GDPR you have detailed obligations in relation to processing and storing personal data. For example, you must only process personal data for legitimate purposes, store personal data for no longer than is necessary for those purposes and be accountable for your processing of those personal data.
Two steps to compliance
While it’s easy to be overwhelmed by data protection law, there are two straightforward steps you can take to help make sure you are compliant.
- The first of these is to put in place a bespoke Data Protection Policy, which will set out in detail your obligations as an employer, together with your employee’s responsibilities, in respect of personal data. You can then look to this as an easy reference guide as to what you need to be doing.
- The second is to provide your employees with a Privacy Notice, explaining the personal data you will be collecting about them and how and why you will be processing those data.
Data Protection Policies and Privacy Notices are part of a wider suite of documents which all employers should have, including employment contracts and a non-contractual handbook setting out things like your disciplinary and grievance procedures. While initially this can seem like a lot of paperwork to put in place, it’s worth making sure that these documents are tailored to your organisation because in the long run it will help you to comply with your obligations and lower the risk of claims against you.
Subject access requests
Start-ups also need to know that their employees have a right to make a “subject access request”. If they do, you are required to provide them with copies of their personal data free of charge within one calendar month.
Former employees or those who wish to make a claim against their employer, can make a subject access request. Because “personal data” is given a very broad meaning by the legislation, it is capable of covering emails which have been sent about an employee as well as to or from them. You should always bear in mind that if you are writing an email about someone, they may well end up reading it when they are deciding whether or not to sue you.
As a start-up, you should make sure that you have systems in place to make sure you can locate all that personal data easily. Not only will this make it easier to comply with any subject access request, but it will help keep you compliant with all your obligations under the Data Protection Act 2018 too.