This type of data is likely to be unstructured and this creates a particular challenge for an employer seeking to comply with principles relating to data protection. Employers, as data controllers, are required to comply with a set of principles for processing personal data and, in addition, are required to show how they have complied with the principles. These principles form the core of the obligations of the data controller and will usually form the basis of any claim that a data controller has not complied with its statutory duties.
Lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation. Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
Data minimisation. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Accuracy. Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
Storage limitation. Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed.
Integrity and confidentiality. Personal data must be processed in a manner that ensures its appropriate security.
Accountability. The data controller is responsible for and must be able to demonstrate, compliance with the other data protection principles.
We provide proactive support for employers to ensure these obligations are met. We can advise on conducting an initial data processing audit, analysing the results and determining the extent of GDPR compliance. Where any failures to comply are identified we will assist the employer with the steps it needs to take to achieve GDPR compliance. This might include preparing bespoke internal and external policies and documents and providing training.
In addition, we advise employers that have received requests from data subjects exercising their rights under GDPR, including subject access requests, and employers that have breached GDPR or the Data Protection Act 2018.