Employers must ensure that personal data is stored appropriately. Given that most employers are likely to hold significant amounts of personal data for each member of staff, it is particularly important that HR management systems and structures are appropriate and meet local compliance requirements, and that storage of such data is sufficiently secure. Access to any such data should be limited to those who require access in order to perform their duties and steps should be taken to ensure that such data is only used for such purposes.

With the development of technology and changes in the ways people work, employers need to consider the risks in associated advances such flexible working, 'bring your own device' policies and remote access to employer networks and systems. Employers will need to consider how best to ensure that their assets, information and systems are adequately protected whilst facilitating the needs of their business and their staff are met.

In the event of a merger or acquisition, employers will need to carefully consider what staff personal data to share, which parties to share such data with, and the basis on which they do so. In some cases (such as transactions to which the EU's Acquired Rights Directive applies), employers may be subject to a legal requirement to provide certain data. In others, employers will have to consider a more nuanced approach, including an assessment of the data sought and the basis on which it is sought, the security arrangements in place, and the justification for any such transfer of data. Employers should consider appropriate measures including anonymising or pseudonimising staff personal data where appropriate, and consider the timing of when such data is provided.

In the event of an intra-group restructure or reorganisation, employers will need to consider the same matters (i.e. what staff personal data to share, which parties to share such data with, and the basis on which they do so), and take steps to ensure any such transfers are compliant and that the integrity and security of any such data is protected.

Employers should consider the implications for employees in relation to access and security measures for employer premises. Where CCTV, swipe card and other common measures are in place, employers should ensure that staff are aware, and that the data collected is handled appropriately and in compliance with local laws; if such data may be used in connection with employee management processes (such as disciplinary processes), this should be made clear to employees. If employers intend to use more unusual / intrusive methods (such as fingerprint or retina scanning, for example), additional care and consideration will be needed. If such access and security measures are operated by third parties (as is often the case in shared or flexible office space), employers need to consider the needs of their own business and the implications of this for staff members.

With the rise of proptech and smart buildings comes the parallel increase in risk as far as employee data is concerned. Such technology is popular with commercial landlords, but employers need to understand the implications for staff and whether there any associated risks.

< Back to Lifecycle page