In the UK, the Information Commissioner is consulting on draft guidance regarding consent under the new General Data Protection Regulation (GDPR). The whole issue of consent will be very important under the new regime particularly from a HR perspective.
Most contracts of employment contain a standard consent clause regarding employee data protection processing. Under GDPR these blanket consents are unlikely to continue to stand up.
This is because GDPR introduces a higher burden for consent - it must be freely given, specific, informed and clearly indicated by a statement or positive action.
The real problem is whether a blanket consent given in order to be employed can actually be considered valid given the negotiating powers of an employer vs. an employee. For that reason, the Information Commissioner in the UK is recommending that employers consider alternative ways to justify processing an employee's data.
One of the main ways to do this is under the heading 'required to fulfill a contract'. This reason would allow an employer to process employee details for payroll for example in order to pay an employee under the contract of employment. Another justification may be for the 'legitimate interests' of the organisation. These reasons should be recorded.
Organisations have until 25 May 2018 to comply and that will not be long coming around. So what should HR teams do? The first recommendation is to get together a working group representing the relevant internal stakeholders who manage and process data within your organisation. A step plan should be developed based on the steps set out below:
1. Become aware - identify areas that could cause compliance problems under GDPR.
2. Become accountable - create an inventory of all personal data you hold and why - look at security and retention also.
3. Communicate with staff and service users - update privacy notices to comply with GDPR.
4. Personal privacy rights - make sure your procedures cover all of the rights that individuals have including right of access, correction and erasure.
5. Look at how access rights will change - the new timescales mean that data access requests must be complied with asap and within 1 month - other changes to access rights also need to be considered.
6. Look at your legal basis for processing - document it and make sure it fits under GDPR - if it doesn't you may not be able to collect and process that data in the same way.
7. Look at consent - review how you seek, obtain and record consent and that it is still sufficient. GDPR means consent may be more difficult to demonstrate particularly where the data subject has no option. This may have a particular impact on how you collect and process employee personal data.
8. Review how you process children's data - the age of consent needs to be reviewed and how you verify age will need to be considered.
9. Review your data breach reporting processes - GDPR brings mandatory reporting obligations in the event of a breach. Unless the data is encrypted or anonymised all breaches must be notified to the Data Protection Commissioner within 72 hours. If the individual is likely to suffer harm they must also be notified.
10. Do you need impact assessments and how are you implementing data protection by design and default into your organisation? If you are involved in high risk processing such as profiling, developing new tech or large scale monitoring of public areas then you will need to have procedures in place under this category.
11. Do you need to appoint a data protection officer? If your organisation is a public authority, the organisation's activities involve regular and systematic monitoring of data subjects on a large scale or the organisation processes sensitive personal data on a large scale then you must appoint a dedicated data protection officer. This can be an external party but they must have responsibility for data protection compliance and have the appropriate authority and support.
12. Are there any international implications for your organisation? If you are a multinational you need to ascertain which data protection authority you should mainly deal with. GDPR operates on a one stop shop basis.
The most important step? Get started now!
If you need advice on data protection and GDPR compliance please contact a member of our Employment Law & Data Protection Team:
Disclaimer:This article is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Leman Solicitors for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.
It also states that valid consent will be difficult to obtain in the employment context because of the imbalance of power between employers and employees. It recommends that employers look for an alternative lawful basis to process employee personal data. For example, employers may process employee personal data on the basis that it is necessary under the employment contract or to fulfill the legitimate interests of the employer.