- GDPR – Are you Ready as an Employer?
Laura Binnie, Associate Solicitor in our Employment Law Team, advises on the new General Data Protection Regulation (GDPR) that will be in force from 25 May 2018.
With just over three months to go, General Data Protection Regulation (GDPR) is continuing to hit headlines as all businesses will be required to comply with the new Regulation by 25 May 2018.
GDPR covers all ‘personal data’ held and/or processed by a data controller. Many of the principles enshrined in the GDPR are the same as those we are familiar with under the Data Protection Act 1998 – for example, fair and lawful processing and data minimisation. However, there are some new requirements. There will be a greater emphasis on both transparency and accountability; organisations will not only need to comply with all of the GDPR principles, but will also need to be able to clearly evidence how they are complying. Individuals will have greater rights and will need to be given more information than under the current regime.
In the employment world, a wide amount of a personal data is of course handled by an employer, throughout the employment relationship and indeed before and after it. Data subjects will include former employees, current employees and job applicants – whether successful or not – as data will be being stored/processed for each category. Workers as well as employees are covered. GDPR will require a change in approach to a number of key documents such as the contract of employment as well as your policies and procedures.
The typical consent clause commonly found in a contract, whereby the employee accepts the processing of their personal data by the employer, is unlikely to be effective under the GDPR as the consent requirements are much stricter – a positive opt in is required, the consent must be freely given and it needs to be as easy to withdraw consent as it is to give it. This means that (due to the inherent imbalance of power between an employer and employee) it will be safest for the business to rely on an alternative lawful basis for processing staff data – two of the most relevant grounds available under the GDPR are: 1. that the processing is necessary for the performance of the contract or 2. that it is in the employer’s legitimate interests to process the data. To this end, issuing a privacy notice to staff will be essential, containing information on what the employer holds and on what basis, amongst other things. We would also recommend updating your data protection policy, along with making a decision on whether to amend current clauses of contracts of employment, in order to reflect the changing landscape that will be in force from 25 May.
This article is intended for the use of clients and other interested parties. The information contained in it is believed to be correct at the date of publication, but it is necessarily of a brief and general nature and should not be relied upon as a substitute for specific professional advice.