We are all busy preparing and making changes to the way we store our customer/student data for the upcoming changes to Data Protection legislation. If you employ staff within your yoga studio (business), then read on as the GDPR also covers the information you hold on about your employees and their rights.
What do you need to do?
Conduct an audit and keep a record of the information which you hold about your employees, determine the legal reasons you have for storing their information and decide whether it is necessary for you to hold this. Refer to my previous Blog for the list of lawful basis (legal reasons) for keeping data.
Data Retention Period, determine how long you will keep employees records for, in the event that they move on. I would recommend that you keep records for 6 years, this includes time sheets, sickness records, holiday records etc.
Storage of information, if you are storing their data electronically, then ensure that it is held securely and that employees can only see information which is relevant to them. If you have paper copies, then these must be kept locked.
Transparency, you will need to inform your employees what data you keep about them and why. Be transparent about how long you will keep their information both during and after their employment ends.
Update employment contracts so new employees are aware of what data you store, the reasons why and for how long. You do not need to issue new employment contracts to your existing employees, you can detail the changes you have made in a letter.
Train employees on your Data Protection Policies and keep records of this.
Sharing information, if you share your employee details with a third party, e.g. an accountant, pension scheme then you will need to inform your employees of this and ensure that the third party is also GDPR compliant.
One thing to watch out for! If you use team photos or videos on your website or in newsletters, then you will need to check with them that they are happy for you to do this. If they object to using their images, then you need to respect this and remove immediately.
*The contents included in this blog are for information purposes only, we cannot provide specific legal advice. This information has been put together from the research we have conducted into the GDPR for interest only. If you require any legal advice, then please consult a legal expert.