Many employers rely on generic consent wording in employment contracts where employees consent to the use of their data, permit workplace monitoring or agree to transfers of data overseas. However, relying on consent in order to process data in an employment context is likely to be ineffective. The EU takes the view that consent is not freely given where the relationship is not one of equals. Both the forthcoming General Data Protection Regulation (GDPR), and the UK Data Protection Bill make it explicit that consent will not provide a valid legal ground for processing data if “there is a clear imbalance” between the parties, such as in an employment relationship; and this is backed up by guidance from the Information Commissioner.
Even if consent has been given, employees can withdraw it at any time, potentially undermining other grounds which could have instead properly been used as the basis for processing - such as the furtherance of the employer’s legitimate interests. If employees object only to parts of data processing, piecemeal withdrawal of consent could still also cause a headache if HR practices need to be altered or amended at short notice to accommodate exceptions.
With eight months until the GDPR takes effect, we urgently recommend that HR teams who have not already started to consider this issue do so now, and prepare for the changes which will need to be made before 25 May 2018. This should include:
- reviewing the data which your organisation holds and the basis on which it is processed
- identifying a lawful basis (other than consent) for processing employee data. This could include identifying your legitimate interests and weighing these up against the potential harm to employees if data is processed in a particular way
- considering what if any exceptions apply to processing employee data (eg in respect of HMRC and immigration records)
- deciding if you intend to use consent in “one-off circumstances”, for example to reply to banks when asking for information on mortgage applications; and, if so, ensuring you have a separate “unbundled” consent form
- reviewing other standard HR documentation at all stages of the employment process including applications/recruitment, offer letters, contracts, handbooks, and general data handling policies
- working with the rest of your organisation to develop privacy notices for HR
- working with the rest of your organisation to consider and update your document retention policy
- drafting an appropriate policy document to explain how you comply with the principles in the GDPR and how your retention and erasure policies work
- reviewing any employee monitoring processes and undertaking impact assessments if employee monitoring is to continue.
The GDPR has a significant impact across organisations and the HR preparation should feed in to a wider GDPR review, since many elements are likely to overlap with those of other departments such as IT and finance.