Employment law - Data protection

GDPR erasure of data response letterYou can use our letter to set out your reply to an individual's request, made under the UK GDPR, for erasure of some or all of their personal data that you hold about them. Erasure of personal dataWhere any of the g... Read more

GDPR erasure of data request formThe UK GDPR enables individuals to make a request for the erasure of the personal data that you hold about them. You can use our form to assist them with making a request.The statutory rightUnder the UK GDPR, individu... Read more

GDPR legitimate interests assessmentIf you intend to rely on legitimate interests as your lawful basis for processing certain personal data under the UK GDPR, you should first conduct a legitimate interests assessment.Lawful basis for processingTo pr... Read more

GDPR data protection impact assessmentA data protection impact assessment is required where a new type of processing is likely to result in a high risk to the rights and freedoms of data subjects. Use our document as your starting point.What's a DPIA?... Read more

GDPR consent to use of employee's imageNormally, you can't rely on an employee's consent as the lawful basis for processing their personal data. However, using their image in marketing materials can be an exception if they have a genuine choice about wh... Read more

GDPR data processor clausesIf you use any third-party processors to handle employees' personal data, you must by law include a number of key written terms governing data protection in the commercial contracts you enter into with them.Processor obligat... Read more

GDPR personal data breaches registerThe UK GDPR requires you to document all personal data breaches, whether they're notifiable to the Information Commissioner's Office (ICO) or not. Use our register to do this.Mandatory registerUnder the UK GDPR, you ... Read more

GDPR letter notifying personal data breachAs well as notifying the Information Commissioner's Office (ICO), certain personal data breaches must also be notified to affected data subjects. Your notification to them must, as a minimum, describe the natu... Read more

GDPR register of data subject access requestsThe UK GDPR requires you to demonstrate that you're complying with the data protection principles. Maintaining a GDPR register of data subject access requests can help you show that you're observing subject ... Read more

Letter to ex-employee threatening to contact ICOUse our letter where you believe a former employee has taken personal data with them on leaving employment, such as client records, without your permission. Unlawfully obtaining personal data is a crimi... Read more