This update has been published by Sandy Adirondack, containing information of specific areas of planning for GDPR compliance.
Getting sorted for GDPR: Children’s personal data, HR, faith organisations + more
This update lists GDPR resources for organisations which hold personal data about children; for staff with HR responsibilities in relation to employees, other paid staff, and volunteers; for churches and faith organisations; and in relation to contracts for data processors (third parties who process data on behalf of the data controller).
Children’s personal data
The rules on children apply to any organisation which holds children’s personal data – not just organisations specifically for children or providing goods, services, activities or digital media specifically targeted at children. Because misuse of children’s personal information can cause serious harm, organisations should ensure they are fully GDPR-compliant in relation to this by 25 May, or at least as fully compliant as they can be. It is particularly important to be aware of the new rules on getting consent from children, where consent is the basis for obtaining and processing the personal data.
- The section on children at the end of the Information Commissioner’s Office’s “Guide to the General Data Protection Regulation”, at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/.
- The ICO consultation until 28 February on the above guidance. A blog about rationale for the guidance, and Word and PDF forms for submitting consultation responses, are at https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/children-and-the-gdpr-guidance/.
- “Children and the GDPR”, Addleshaw Goddard solicitors, 5 February 2018, https://www.addleshawgoddard.com/en/insights/insights-briefings/2018/retail-consumer/retail-consumer-newsletter-february-2018/children-and-the-gdpr/.
- The Data Protection Bill, currently going through Parliament, is likely to contain further protection for children’s information rights. I will send more about this when it is clearer what the final bill will include. The bill can be accessed and its progress tracked at https://services.parliament.uk/bills/2017-19/dataprotection.html.
HR (employees, volunteers and others)
Data protection law, including the GDPR, applies equally to the personal data of employees, casual staff, “gig workers”, temporary staff, interns, volunteers, and anyone else who carries out work, paid or unpaid, for the organisation – as well as job/volunteering applicants who want to carry out work, and former staff who have previously carried out work. If your organisation holds information about any them, it must comply with data protection requirements – even though many of the guides and briefings refer only to employees.
The best briefings are probably from CIPD (the Chartered institute of Personnel and Development) at https://www.cipd.co.uk/knowledge/fundamentals/emp-law/data-protection/gdpr-factsheet, but these are available only to CIPD members. If you are not a CIPD member, try to find someone who is. In addition or instead, the briefings and articles below range from basic to more detailed. Obviously there is a lot of overlap, but they all have different emphases so you should probably look at all of them.
- “Handy guide to the GDPR for HR professionals”, two-page intro from Brodies solicitors, www.brodies.com/sites/default/files/handy_guide_gdpr_-_hr_professionals_j_keir.pdf.
- “What impact will the GDPR have on employers?”, HR Review, 19 September 2017, http://www.hrreview.co.uk/analysis/impact-will-gdpr-employers/105990. Good overview of issues for HR.
- “GDPR six months out: a lifeline for anxious HR practitioners” (except it’s now only three months out), Taylor Wessing solicitors, 15 November 2017, https://united-kingdom.taylorwessing.com/en/insights/law-at-work/gdpr-six-months-out-a-lifeline-for-anxious-hr-practitioners. Particularly helpful on handbooks and policies.
- “General Data Protection Regulations: Key implications for employers”, Anthony Collins solicitors, 15 March 2017, https://newsroom.anthonycollins.com/ebriefings/general-data-protection-regulations-key-implications-for-employers/. Particularly helpful on privacy notices
- “Lawful processing of HR data under the GDPR”, Taylor Wessing solicitors, March 2017, https://www.taylorwessing.com/globaldatahub/article-processing-of-hr-data-under-the-gdpr.html. Particularly helpful on the issue of consent versus the other bases for lawful processing in relation to staff.
This briefing is written for churches, but applies in the same way to other religious bodies.
- “Data protection and the GDPR: What do you need to know?”, Anthony Collins solicitors, January 2018, http://www.anthonycollins.com/media/2530/data-protection-and-the-gdpr-what-do-you-need-to-know.pdf.
Contracts with data processors
A data processor is a third party who processes, on behalf of a data controller, information from which living individuals can be identified.
- For the distinction between a data processing arrangements and data sharing: “Check your contracts”, Stone King solicitors, 31 October 2017, https://www.stoneking.co.uk/literature/e-bulletins/check-your-contracts.
- For what the GDPR requires for contracts with data processors: The section on contracts in the ICO’s “Guide to the General Data Protection Regulation”, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/.
For more on this and legal issues for the voluntary and community sector, visit Sandy Adirondack’s legal updates site.