The General Data Protection Regulation 2016 (“GDPR”) came into force on 25 May this year. The hype around GDPR was unprecedented in terms of the introduction of a new piece of legislation. Now that the dust has settled, it’s clear that a number of questions still remain for organisations that process personal data.
We have produced a series of mini blogs to answer those questions. The mini blogs will focus on 4 key areas: HR; Regulatory; Data Subject Rights; and Marketing. Questions such as “Do our employment contracts need to be updated?”; “Do we need to notify the Information Commissioner’s Office of each and every breach of GDPR?”; “Do we have to provide all documents requested in a subject access request?”; and “Can we continue to send marketing to our clients?” will all be answered, along with many others.
GDPR FOR HR – Do our employment contracts need to be updated?
One question often asked is how GDPR affects employment contracts. GDPR does not require employment contracts to be updated. However, many employment contracts were drafted prior to 25 May on the grounds of the employee giving consent to the employer processing their personal data. A typical pre-25 May employment contract may include a clause similar to the following:
“For the purposes of the Data Protection Act 1998, you give your consent to the holding, processing and editing of your personal data for all purposes relating to your employment and the performance of this agreement including but not limited to legal, personnel, administrative and/or management purposes”.
Under GDPR, employment contracts should no longer seek consent from employees for a few reasons:
- Consent obtained within an employment contract is unlikely to be GDPR compliant. Consent must be freely given, and it won’t be freely given if it’s provided within a document that the employee is required to sign to commence employment;
- There’s no need to rely on consent for the majority of processing of employee personal data. Organisations should instead rely on legitimate interests (backed up by completion of a legitimate interests assessment), fulfilment of a contract or compliance with a legal obligation. In the case of special categories of data (known as “sensitive personal data” under the Data Protection Act 1998), processing is permitted where it is carried out in the field of employment; and
- The rights of data subjects are more limited where an organisation relies on a ground other than consent.
This doesn’t mean that consent from employees is never required. If you carry out processing that isn’t necessarily anticipated or expected by an employee, you should still seek consent in a separate document that sits outside of the employment contract. For example, if you collect diversity information on a non-anonymous basis, consent should be sought to process that data (it may be simplest to do this by providing a “prefer not to say” option in any forms used to collect the data) and occupational health assessments will also need to be carried out with the consent of the employee.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.