Archive RSS
Blog  »  July 2017  »  What does GDPR mean for employers? - Blog
24
Jul 17

Posted by
Laura Murphy

What does GDPR mean for employers?

Employers process huge amounts of HR related personal data on a daily basis. The new General Data Protection Regulations (GDPR) expand current obligations in terms of how data that is processed.

Employee Communication

Currently employers must provide employees with some information, including the identity of the data controller and the purpose for which data is being processed. Under the new legislation this will increase to include, informing employees of how long the data is stored for, details of employee’s right to make data access requests, and the right rectify or to delete the personal data.

Consent

The issue of consent will be very important across the board but particularly from a HR perspective. Currently, most employment contracts will contain a standard consent clause regarding the processing of employee data. Under GDPR employers will unlikely be able to depend solely on these blanket clauses.

GDPR stipulates that consent must be freely given, specific, informed and unambiguous. Employee consent is not generally considered to be valid as consent is usually not deemed to be “freely given”. This is due to the power imbalance between the employer and the employee.

Whilst it is still best practice for employers to include details of data processing within the contract of employment, it should not be the sole form of consent for processing employee’s personal data.

How do employers justify processing employee data?

From 25 May 2018 employers will need to have additional justifications for the processing of employee data. These may include:

  • To fulfil contractual obligations: this could allow employers process employee details in order to meet the terms of the contract of employment. For example, the processing of payroll data.
  • Legal obligations: for example, health and safety and tax legislation denote valid grounds for processing data.
  • Other legitimate interests: employers may have internal legitimate interests for processing data, such as to improve efficiencies. Where this justification is relied upon employers should ensure that the purpose is legitimate and it must be done in the least intrusive manner possible.

Data Access Requests

Should an employee request to access their data, under the GDPR employers will have one month to comply, reduced from 40 days. It will no longer be permissible to charge employees for requesting to access their personal data.

To Conclude

Employers are well advised to take time to fully consider the legal grounds they rely on in order to process employee personal data. Ensure that where processing does occur it is necessary, proportionate and carried out in the least intrusive manner possible. Employers should also communicate with staff ensuring that staff notices and privacy policies are up-to-date with the GDPR requirements.