Despite the deadline having passed, businesses are still scrambling to align their data practices with the General Data Protection Regulation (“GDPR”). But with so much focus on consumer protection, it is easy to forget that employees must also be considered. This article briefly discusses ways to ensure GDPR compliance with respect to a company’s workforce.
Employees and personal data
The GDPR defines “personal data” as any information relating to a natural person that can be used to directly or indirectly identify them. Companies typically process large amounts of employee personal data as part of day-to-day operations, from payroll administration to performance reviews. In addition, employees frequently have access to the personal data of customers. Steps must be taken to ensure data is handled properly in each case.
The previous approach
Until recently, it was standard practice for employment contracts to contain a clause by which the employee gave broad consent to their personal data being processed by their employer. It remains possible under the GDPR to rely on consent as the legal basis for processing data, but most companies would be wise not to do so, for two reasons:
It isn’t necessary
Under the GDPR, employers can rely on numerous other justifications for processing employee personal data, such as it being necessary for the performance of an employment contract, or for compliance with an employer’s legal obligations. (Note, however, that the rules for processing sensitive personal data, such as race or sexual orientation, are stricter, and explicit employee consent may then play a role.)
It is difficult to validly obtain
The GDPR requires consent to be freely given, specific, informed and unambiguous; a single sweeping clause buried deep in an employment contract is unlikely to satisfy. Many bodies, including the UK Information Commissioner’s Office, advise against relying on consent in an employment context, owing to the imbalance of power inherent to the employer-employee relationship. Given that a prospective employee may feel that refusing consent might cost them the job, their agreement is unlikely to be deemed freely given.
The post-GDPR approach
Transparency is key to ensuring GDPR compliance. Data protection clauses in employment contracts should consist of the following three elements:
A statement that the employer will process the employee’s personal data
This should include an undertaking by the employer to comply with the GDPR and any successor legislation.
A referral to the employer’s privacy notice
The employee should be provided with a copy of the privacy notice, which sets out which of the employee’s personal data the employer intends to collect, how it will be collected, and how it will be used. Prior to entering the employment contract, the employee should be instructed to sign the privacy notice, confirming they have read and understood its contents.
An explanation of the employee’s obligations under the GDPR
Steps to take
- Include the updated data protection clause in all new employment contracts
- Deliver the privacy notice to all current employees and contractors, and require that they read and sign it
- The action to take in respect of existing employment contracts is ultimately a commercial decision. Some companies may wish to have employees execute new agreements, or sign a letter agreeing to the amending of the data protection clause. Regardless of the approach, all existing employees must have their obligations under the GDPR explained to them.