Most businesses will now be aware of the forthcoming Data Protection Bill which brings into effect the General Data Protection Regulations (“GDPR”) and modernise our data protection laws. Prudent businesses may have already taken steps to review and update their internal systems to make them “GDPR proof”. One specific issue for most businesses to consider is how the GDPR impacts upon them as employers.
The GDPR will require employers to provide employees with information regarding the collection, retention and use (“processing”) of their personal data to include what data is collected, how it is held, when and why it may be processed and other general rights such as their right to see, amend or erase data held about them.
The provision of the specified information is likely to be undertaken by employers in the form of a policy or more specifically a privacy statement. Businesses should review current privacy statements to consider whether amendments will be required to ensure compliance with the GDPR or whether specific policies or statements should now be introduced.
A key feature of the new legislation is the issue of consent. The GDPR requires data controllers to obtain express, informed consent from individuals for the processing of sensitive personal data (such as information relating to the health of employees).
Many employers may have sought a general consent from employees at the outset of employment, often including a clause in standard employment contracts. In general employees will be required to accept the standard clause in the employment contract as a condition of employment.
The GDPR provides that general consent obtained on a conditional basis will not be sufficient consent for the processing of sensitive data. The Information Commissioner’s Office suggests that employers should consider whether or not consent is needed to process employees’ data and, if not, what other justification they may have for processing.
Under current data protection laws, which are less stringent than the GDPR on the issue of consent, a general, conditional consent will not likely be sufficient to process sensitive personal data (for example where a medical report for an employee is required).
For employers preparing for the implementation of the GDPR now is the time to consider:
- the justification for the processing of employee data;
- what data may be processed which requires employee’s consent; and
- how consent is obtained and whether any “current” consent is sufficient under the GDPR.
Steps to implement
Ahead of the implementation of the Data Protection Bill which takes effect on 25th May 2018 (it is currently making its way through Parliament) employers should take account of the following actions points:
1. Undertake an internal audit of what personal data is held about employees and how and why it is processed.
2. Review current data protection/privacy policies and statements to identify any gaps in view of the changes brought by the GDPR.
3. Consider specifically the issue of employee consent. Following the changes under the GDPR it is unlikely that a general consent will allow an employer to process sensitive data relating to an employee.
4. Assess data security and relevant policies and procedures in the event of data breaches – this will be particularly relevant where sensitive personal data is retained and goes towards demonstrating compliance with the GDPR.