HR Guidelines for GDPR: Addressing Pay Inequities, Data Access Rights, and IT Security Measures
The Information Commissioner's Office (ICO) has issued new guidance on how to respond to a data subject access request (DSAR) from a current or former employee. The guidance, published on 24th May 2023, marks a significant update for employers in managing DSARs effectively under UK data protection law.
Reasonable and Proportionate Searches
The updates primarily relate to the introduction of the Data (Use and Access) Act 2025, which affects DSAR handling by requiring searches to be reasonable and proportionate. This duty has been applied retrospectively to 1st January 2024.
The ICO’s powers regarding DSARs, including issuing notices and requesting documentation, are scheduled to come into force on 19th August 2025. Additional provisions impacting the UK GDPR, Data Protection Act 2018, and PECR will follow with secondary legislation laid before Parliament between August 2025 and June 2026.
This shift towards a more business-friendly and agile data protection framework maintains the core principles of privacy. Employers are encouraged to start preparing for these changes by reviewing their DSAR procedures to ensure they are reasonable and proportionate and keep abreast of forthcoming ICO guidance and legislative updates.
Ethnicity Pay Reporting and Diversity
Although ethnicity pay reporting is currently not mandatory, businesses that adopt the practice early and ensure accuracy may benefit from valuable insights, including from a public relations perspective. The guidance advises against aggregating all ethnic minority groups into one category, as it can hide specific disparities.
The focus is not only on pay but also on understanding the underlying reasons for disparities, such as limited progression opportunities. Regularly backing up data to an external storage device can minimize the risk of losing data in the event of a break-in, flood, or disaster.
Security Measures
To protect devices from malware, use up-to-date anti-virus software, particularly when employees are working away from the office. Be cautious about your environment, especially in shared spaces, to prevent others from seeing sensitive information on your screen. Creating strong passwords and using multi-factor authentication can help safeguard personal information.
Train staff to spot suspicious emails, such as those with poor grammar, urgent demands, and payment requests. If a business utilizes social media platforms or chat channels for business purposes, they are considered the controller for the information processed on those platforms.
DSARs and Other Aspects
DSARs can be received through social media channels, and there is no requirement for requests to be in a certain format to be valid. CCTV footage is potentially in scope of a DSAR, so it's important to check that data can be extracted in response to a request and third-party data redacted where necessary.
Employers cannot refuse to comply with a DSAR because of ongoing grievance or tribunal processes. Allowing employees to self-identify is recommended, following the categories used in the latest Census, with an option for individuals to select "prefer not to disclose" to ensure compliance with the UK GDPR.
Looking Ahead
The ICO updated their 11 practical ways to keep IT systems safe and secure on 19th April 2023. In respect of emails, all information in an email relating to the requester should be disclosed. On 17th April 2023, the UK government issued its first official guidance on ethnicity pay gap reporting.
The annual Data Forum, hosted by the firm in June 2023, provided a UK and EU perspective on various data law and regulation topics. Employers should stay informed about these developments to maintain compliance with data protection laws and ensure they are equipped to handle DSARs effectively.
- In light of the shift towards a more agile data protection framework, employers should review their data subject access request (DSAR) procedures to ensure they align with the new requirement for searches to be reasonable and proportionate under the Data (Use and Access) Act 2025.
- As cybersecurity becomes increasingly important in the digital age, businesses should implement strong security measures, such as using up-to-date anti-virus software, creating strong passwords, and multi-factor authentication, to safeguard personal information and protect devices from malware.
