Data Protection Principles: What every employer should know

Let’s face it, data privacy regulations can be daunting if you work in HR or are responsible for collecting personal employee information. But understanding some basic D&I data protection principles can help you embark on the right path to gathering and publishing your employee's diversity and inclusion data.

Collecting D&I data is the first step to understanding the make-up of your organisation to develop effective D&I strategies and target issues impacting equality and inclusion in your workplace.

Now, without D&I data, it's impossible to understand how you're performing, what you need to change, and the progress you're making to build a diverse and inclusive culture.

—

In this short blog post, you’ll learn about Data Protection Principles: 

• What they are
• What they mean
• Why it matters

What are Data Protection Principles?

Once you've determined that your organisation has a lawful basis for collecting D&I data and met the special conditions for processing it, you'll need to carry out your data processing according to the data protection principles set out in the UK General Data Protection Regulation (GDPR). 

Data Protection Principles: What does it mean?

Let’s zoom on what hides behind Data Protection Principles. What does it mean, really? We break it down in 6 steps.

1. Data must be processed in a lawful, fair and transparent manner

Your organisation needs to ensure that your data collection practices don't compromise the law and that you're transparent with employees about how you'll use their data. 

For instance, you can share your privacy policy with staff to explain why you're gathering the data, how you'll sort it, and where it's stored.

2. Data should only be collected for specified, legitimate and explicit purposes 

Organisations can only gather personal data for a specific purpose and cannot use it for anything other than this purpose. So, before you begin collecting any data, you'll need to outline the goal.

For example, to review and ensure equality of treatment for all employees.

Now, suppose you're processing for historical, scientific or statical reasons in the public interest. In this scenario, greater freedom is allowed, but it can be worth checking with your legal team before making any assumptions.

3. Data minimisation

Personal data needs to be relevant and limited to what's necessary for the purpose of collecting the data. Employers should therefore aim to limit the scope and amount of data they process to achieve their D&I strategy.

It’s also important to note that you can't collect personal data for possible future uses or retain more data than is needed for your D&I analysis.

‍

‍

4. Accurate and kept up-to-date

It's essential to ensure your data remains up to date to meet regulations and be beneficial for your ongoing analysis.

As an employer, you'll need to take every reasonable step to ensure that any personal data you collect is accurate. 

If there are any inaccurate or incomplete data, it's essential to either update it or erase it within 30 days.

5. Storing the data

The legislation highlights that you must keep all data in a form that permits the identification of employees for no longer than necessary.

In other words, as an employer, you'll need to take steps to anonymise the data, store it separately from other employee data and HR records and limit who has access to the data to comply. 

When you no longer need the data for the reason it was collected, you need to delete it. If there's an acceptable reason you need to keep the data, then you'll need to establish a retention period and justify your reasons.

6. Confidentiality and security

It's essential to process your data so that it ensures the appropriate security of the data. It's a good idea to work with your risk and IT teams to assess the data storage to ensure it meets the necessary security levels to store personal information safely.‍

Good to know!

Our software and data are hosted in Microsoft Azure (Europe). Our data is only accessed from the UK, not transferred anywhere else outside the EEA, and access to it is secured by internal controls. We have policies and procedures to ensure everything is kept safe at all time.

Learn more from on HR Datahub’s Privacy and Security.‍

Why are the Data Protection Principles (so) important?‍

The above mentioned principles are set out at the beginning of the legislation and form an essential part of the UK GDPR. While they don't list absolute rules, they do reflect the spirit of the information protection regime.

Compliance with these core principles is a critical building block for creating reasonable data protection procedures in your organisation. It also means complying with a specific provision of the UK GDPR.

Non-compliant organisations risk important penalties

You may be subject to substantial fines if your business doesn't comply with the principles. Infringing these basic principles are typically subject to the highest tier of administrative penalties. This could include a maximum fine of £17.5 million or 4% of the total annual global turnover in the last financial year, whichever is higher.

How to follow the principles

The data protection principles offer a guide to establishing your data collection protocols and ensuring you can securely store the data. 

As an HR team, working closely with your IT and Legal teams from the get-go is essential to establishing these protocols. Their support can ensure you fulfil the principles and adhere to the regulations of the law. It also means the data you gather will be helpful in your analysis to build or improve your existing D&I strategy to create a truly diverse and inclusive workforce.