All of a sudden, data is big news. Headline after headline in the mainstream media is being generated by the Facebook and Cambridge Analytica story, fuelled by drip-fed revelations, an angry media keen to take the opportunity to rip into the social media giant that has gutted their ad revenues, and angry politicians keen to take the opportunity to vent feelings about Brexit and the election of Donald Trump.
At the same time, there is a bewildering level of marketing content being pushed out into the trade press by law firms and consultants about the General Data Protection Regulation (GDPR) reforms to privacy laws – most of it focusing, not unreasonably, on the challenges in terms of safeguarding client data and the penalties for failing to do so.
But while you can't stop reading about data, Facebook and leaks, what's being missed is that the GDPR is also changing the relationship between employers and employees in a significant way. While GDPR has mostly been presented as a digital exercise about data cleansing, firewalls and obtaining and recording consent, some of the biggest changes for HR teams (and employees generally) in many years have gone unremarked.
The first of those challenges – and this still appears to be taking some HR professionals by surprise – is that under the new rules, employers can no longer compel their employees to produce and hand over their health records, no matter what clauses exist in their contracts. The laws enacted in both Jersey and Guernsey to enable the GDPR specifically say that contractual terms requiring employees to disclose a health record, or even part of any health record, will be void from the point that the GDPR comes into force on 25 May.
Over and above that, employees will also have a legitimate expectation that they can keep their personal health information private, and that employers will respect their privacy. Where health information is being collected, employees should know what is held, who is holding it, where it is held and the reasons why it is held.
This changes the picture in a number of ways, but most significantly in terms of dismissals on the grounds of ill-health, particularly as the onus is on the employer, not the employee, to obtain evidence to support a decision to dismiss.
Similarly, employers' rights to demand evidence of criminal records will be swept away – except under certain circumstances. Employers will not be able to demand evidence of criminal records unless the employee (or the position being recruited for) fits a defined list of categories including healthcare, schools, caring for the vulnerable, financial services or jobs working in the legal sector.
A further fresh challenge is in respect of employees' social media accounts – it's fairly common practice in all kinds of businesses for employees to share, like and comment on their employers' social media content.
But monitoring of employees' social media activity will inevitably lead to processing and/ or storing personal data about them – and therefore will have to be conducted in accordance with the GDPR, which means that employers will have to demonstrate lawful grounds for processing that data.
GDPR is a game-changer for the employee/employer relationship in many ways, not just those outlined above. It is imperative that employers are prepared for the new regime if they are to avoid liability post 25 May 2018. We recommend that GDPR audits are carried out as soon as possible so that areas of risk can be identified and rectified. Existing policies, procedures and employment contracts will need to be updated as part of this process and employers will need to be able to demonstrate that they are acting in accordance with the new policies.