The General Data Protection Regulation (GDPR) is a European piece of legislation which will come into force on 25 May 2018. There has been much coverage of how this legislation will extend the requirements which already apply to business under the Data Protection Act. Most of this coverage has focussed on business to business and business to consumer issues, but I want to concentrate on how GDPR will affect employers’ processing of their employees’ personal data.

Personal data is the data of an identified or identifiable natural person (the data subject). An employer’s HR records will be caught by that definition. Note however that data related to job applicants, whether successful or unsuccessful, will also be caught.

The first significant change is to consent. Employers have traditionally included a standard clause in their contracts of employment whereby employees consent to the processing of their data. As that clause has been included in the contract employees often sign that consent without considering it. They do that because they need to sign the new contract, to secure their new role. Such consent will not be enough under the GDPR.

Article 7 requires that if consent is contained in a document which also deals with other matters, then the request for consent must be distinguishable from the rest of the document and in clear and plain language. My practice has been to have the data protection consent at the end of the employment contract with a separate space for the employee to sign confirming their agreement to it. Even that might not be enough under the GDPR, as it is clear that if consent is required for the performance of the contract then this will be taken into account when deciding if consent was truly given freely. In addition, and perhaps more importantly, Article 7 allows for an individual to withdraw their consent at any time. In the circumstances, my view is that employers should no longer rely solely on the consent contained within their employment contracts.

Instead employers need to be aware that if they can show the processing of the data is necessary to either:

1. perform the contract, 
2. meet a statutory obligation, or
3. fulfil employment law obligations,

then that can provide legal justification for the processing of the data. 

Coupled with the above, an employer must communicate a detailed privacy notice to its employees which sets out in a clear and transparent way; the justification relied on, how long data will ordinarily be stored for, where it is obtained and to whom it may be disclosed, and information setting out what rights the individual has under the GDPR.  

The above is intended to give employers some initial points to consider in preparing for the GDPR. I recommend that employers start to think about the data they already process, how they obtain consent, what, if any, documentation they have which might be updated to meet the requirements for a detailed privacy notice and how data is processed within their organisation. 

They then need to put an action plan into place to implement new procedures for obtaining consent, to draft and introduce a privacy notice and, finally, to train those who have responsibility for data processing. 

However this should be seen only as a start to the process of preparing for the GDPR. It should be started now as there is a lot to consider and a number of other areas to be covered subsequently. I will return to those other matters in a future article.

If you would like to discuss this further, or for a free 15 minute chat please contact our employment solicitor on 01206 217610 or email martin.hopkins@birkettlong.co.uk.