General Data Protection Regulation: Preparing for the change

The first step is to review data protection policies and contractual requirements with external data processors (e.g. payroll). As will be seen below, there are a number of changes under the GDPR and so revisions are very likely to be necessary for both employers and suppliers, who will need to ensure they are demonstrating data security and compliance with the GDPR.  It will not be sufficient simply to say you and they are complaint.

If new HR systems are being considered, they should be built and contractual arrangements agreed with the GDPR requirements in mind.

Most employers process significant amounts of data relating to employees including, for example, computer log data, websites visited, telephone calls, emails made/sent and received, CCTV and personnel data. Much of the data will be unstructured and may include sensitive personal data.  For example, a text from an employee to their manager saying they are unwell and unable attend work and the manager relaying this or making a record of it, is the processing of sensitive personal data.  Despite the unstructured nature of much of the data and lack of actual control over that data, the employer remains the data controller and owes various obligations.

A data audit must be carried out to establish what data is being processed within the organisation and where there may be any gaps in GDPR compliance.

Currently, employers rely on employee consent to justify processing of personal data about them.  This is subject to criticism given the unequal relationship between employer and employee and whether the employee can give their consent freely in these circumstances.

Consent remains an option but under GDPR the conditions for relying on consent are more detailed and stricter. Consent must be given freely.  It will not be freely given where the consent is a condition of their employment, for example, included in their employment contract. Ultimately, consent under the GDPR is going to be difficult to rely on for general use in the employment relationship, but could be used for one off matters such as obtaining a medical report.

Processing can be undertaken lawfully in other ways set out in Article 6 of GDPR.  The most likely to be relied on by employers is the processing is necessary for the purposes of the legitimate interests of the employer.

Step three should be to establish the grounds under the GDPR on which you can and will be able to lawfully process data.

Existing laws require employers to provide employees and job applicants with a privacy notice, which sets out the purposes for which the data is being processed and any information that needs to be provided to ensure fair processing of that information. The GDPR, under Article 12, requires that all information provided must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”. Employers will generally need to provide more detailed information in their privacy notices, including:

• The period for which the data will be stored,
• Information on data subject rights, including the right to make a subject access request and rectification and erasure (the right to be forgotten/have data erased).
• The right to object to processing on certain grounds.
• The right to withdraw consent (where the employer is relying on consent as the legal basis for processing).

The amount of information that employers will have to provide is significantly more than is currently required.  Step four is to review and update privacy notices.

The GDPR extends data subjects’ rights which will include the following:

• The right to erasure.
• The right to have data rectified.
• The right to restrict the processing of personal data.
• The right to object to the processing of personal data.

There are various triggers which allow the above rights to be exercised. For example, where personal data is no longer necessary for the purpose for which it was collected or processed the data subject has the right to have that personal data erased.

The rights of data subjects will impact the employment relationship in a number of ways.  By way of example there is likely to be tension between an employer pursuing its “legitimate interests” and an employee seeking to restrict the processing of data on the basis of his or her right to privacy.  Organisations need to familiarise themselves with these changes to the rights of the data subject.

The above is a very broad overview and we will be publishing further detailed guidance in due course via hrlegalnews.