GDPR

A significant change for all employers under the GDPR will be in how employee data is processed.  Most employers in the UK currently rely on consent to process employee data under Data Protection Act.   There are two main reasons consent will not be the most appropriate basis under the GDPR:

• Consent must be considered freely given – there must be genuine choice, it cannot be tied to terms and conditions;
• Consent can be withdrawn at any time – if consent is withdrawn employers would need to rely on another lawful basis to process data and would need to inform the employee prior to continuing to process the data.

If consent is not appropriate, what lawful basis can we use to process employee data?

That depends on the data you are processing.

Most personal data you collect from employees will clearly fall under the lawful basis of fulfilling a contract.   This will include information for paying employees, providing other contractual benefits and keeping holiday records amongst others. Where there is a legal obligation such as reporting to HMRC or administering entitlement to statutory pay, such as maternity, then you will process the data under the lawful basis of legal obligation.

Other processing of data may not be so clear. For example, with employee monitoring of email and IT use, if not included in the employee contract you would likely rely on the lawful basis of legitimate interests. To demonstrate that the legitimate interest of the employer over-rides the rights and freedoms of the individual data subject, employers will need to carry out a legitimate interests assessment (LIA). The more intrusive a process, the less likely it is to pass the test of a LIA.   So, employers will need to think carefully about whether they can objectively justify their legitimate interests before processing data.

Where consent is used to process data, consent will need to be separate from the employee contract and a record of the consent must be kept.   There is a much greater duty under the GDPR to demonstrate compliance and this means good record-keeping is essential as with other compliance duties.

Special categories of data (formerly sensitive data and now including biometric data) could pose a risk to a data subjects’ fundamental rights and freedoms and so the GDPR requires extra protection to be in place. Examples of special categories of data include reference to race, religion and belief amongst other characteristics.  Employers processing special categories of personal data for employees will need to have an appropriate policy document which outlines the safeguards in place to protect the data, the lawful basis and additionally the Article 9 condition for processing the data.   The lawful basis and condition do not need to be related but both will need to be clearly documented and the employee informed via a privacy notice.  

What needs to happen before 25th May?

Carry out an HR data audit which lists all the data processes currently in place and look at whether they can be objectively justified.  Decide on a lawful basis for processing the data.  If you are finding it difficult to identify a lawful basis, then processing the data may not be necessary.   Put simply:  if you don't need the data, don't have it!  

All employees will need to be provided with a privacy notice which lists their enhanced rights as data subjects under the GDPR and states clearly how data will be collected, how the data will be processed, how long it will be retained and the lawful basis for each. This needs to happen before and certainly not later than the 25th May 2018 implementation date.

Remember, even a swipe card system that identifies employees by name or number is collecting personal data about when that employee comes in and out of a building.   Personal data includes physical data – where a user interacts with a system and can be clearly identified. This data falls under the GDPR and must be covered by a privacy notice.

For more help and advice with your preparation for the GDPR please contact Rebecca on rebeccalabram@peopleclever.com or come on one of our friendly workshops  to learn more.