The Government announced this week that it will be publishing a new Data Protection Bill, which will have a profound impact on the way organisations handle employees’ personal data. It will incorporate the EU’s long-awaited and far-reaching General Data Protection Regulation (GDPR), which applies from 25 May 2018. The UK, therefore, will have equivalent protections in place long after Brexit.
One of the implications of the new law is that employers will need to place more focus on the legal basis for processing employees’ personal data.
There are several conditions which employers can rely on to make the processing of personal data lawful, but one of the most commonly used historically is consent.
It is not uncommon to see very general data processing consent clauses in employment contracts, but in reality, generic consent from an employee will not always be valid. There is a clear imbalance of power in the employment relationship, since employees are unlikely to be in a position to negotiate contract terms at the point they are entering into them. They may well feel that they have no choice but to sign what they are asked to.
Under GDPR, organisations will need to work harder to ensure they have obtained valid consent. Consent must be “freely given” through a clear, affirmative statement which is distinguishable from other matters and given with a full understanding of the implications i.e. informed consent. Given the imbalance in the employment relationship, and the fact the processing is often tied to other considerations such as performance of a contract it cannot be presumed that consent is “freely given” in the context of an employment contract.
The result is that even where an employer has specific, informed consent from employees (such as consent to access medical records), it may not be able to rely solely on that consent as a lawful basis for processing personal data. This is especially the case for ‘special categories of personal data’ (which includes data formerly known as sensitive personal data), for which the requirements are already stricter.
Even if, on the rare occasions, where valid consent could be deemed to be given, the employee must have the right to withdraw consent at any time.
You might be wondering then how you are going to overcome all of these hurdles. But remember – consent is only one of the conditions you can rely on to lawfully process personal data. In most cases, you will be able to find an alternative basis for processing employees’ personal data lawfully.
For example, where:
- processing is necessary for the performance of the employment contract (e.g. to pay the employee); or
- processing is necessary for compliance with a legal obligation (e.g. to monitor working hours),
you will be able to rely on these alternative grounds for processing personal data whether or not you have consent from the employee.
What you need to be doing
Now is the time to start looking at the different ways in which you use employees’ personal data and working out which grounds you can rely on in each case to avoid breaching the new data protection laws.
It is important that everybody handling employee data, such as HR teams and line managers, are aware of the new, stricter requirements. Training, auditing and effective policies and procedures will play a key role in making sure that personal data is only used in accordance with the identified processing conditions (and for the right purposes), so now is a great time to get prepared and review your internal procedures.
You should also consider revising contractual clauses to refer to a separate data protection policy, rather than asking for consent in the contract (which is unlikely to always stand up to scrutiny).
Why you need to start thinking about it now
As the UK will still be part of the EU on 25 May 2018, the GDPR will automatically become part of UK law on that date, regardless of whether or not the UK’s Data Protection Bill has become law by then.
Naturally, with stricter requirements come stricter penalties, and the new penalties for breaching data protection legislation will potentially be huge – up to €20 million or 4% of global turnover in the most serious cases.
Conducting an audit of the personal data your business holds and why may take longer than you think so you should act now to ensure compliance by 25 May 2018.
Join the Gateley Plc Employment Team at the HRXChange Autumn Update to discuss the full implications of the Data Protection Bill for employers and other key employment law developments.
This blog post was written by Alicia Corby. For further information, please contact:
Christopher Davies, professional support lawyer, Employment
T: 0161 836 7936