THE General Data Protection Regulation (GDPR) will, despite Brexit, override the Data Protection Act 1998 and come into force, without requiring any legislation to effect the same, on 25 May 2018.
This will affect businesses and their employees upon its immediate implementation, and as such it is prudent to take careful consideration of what can be done now to ensure businesses are compliant.
Non-compliance
The increasing fines of up to 20 million Euros or four per cent of the global turnover of a business, whichever is the greater, are capturing the attention of many businesses now considering what steps they need to take in order to be compliant. These sums are significantly more punitive than the maximum of £500,000 under the existing law.
Considerations for employers
Not only will the GDPR apply to data processed on customers, it will also apply to data processed regarding the employees of a business. In particular, employers should consider:
* The significant amount of data which is likely to be processed regarding employees, including:
* CCTV within or around the office;
* office access information;
* data on computer log on; and
* data on websites visited, telephone calls made and emails both sent and received.
* The unstructured nature of much of the data surrounding employees and the challenges this creates for an employer looking to be compliant.
Consent requirements under the GDPR
One important area the GDPR highlights is the requirements around a data subject’s consent to the processing of their personal data. Consent must be:
* unambiguous, freely given, specific and informed;
* given by a statement or a clear affirmative action;
* as easy to withdraw as to give (and can be withdrawn at any time); and
* kept separate and distinct from other terms and conditions.
Employees
Employment contracts are usually offered on a take it or leave it basis, with no real room for negotiation on behalf of the employee. As such, the entering into of an employment contract is unlikely to provide for consent being given freely. Under the GDPR, employers will no longer be able to obtain consent regarding the use of an employee’s personal data through terms contained in employment contracts unless the consent for data processing is presented separately to the other terms.
Specifically, employers should consider the following regarding employees:
* review and ensure existing employees’ consents are given through affirmative actions;
* review existing employment contracts to ensure that consent given regarding data processing is clearly distinguished from consent to the other terms of the contract;
* obtain new GDPR compliant consents; and
* ensure future consent given to process personal data is separate from consent to the terms of the employment agreement.
Clearly reading an article such as this is not a substitute for legal advice. Here at Franklins we are able to offer advice on and assistance in respect of the GDPR, how it will affect your business, what steps you should be taking now and how to ensure that your employees maintain the compliance of your business in the future.
Christopher Buck is a Solicitor and Associate Partner in the Corporate Commercial department of Franklins LLP, whilst Ben Stanton is a Solicitor and Associate Partner in the Employment department. The firm has offices in Milton Keynes and Northampton. Christopher seeks to provide cost effective solutions to businesses regarding the GDPR and Ben can assist with advice and guidance for both employers and employees. They can be contacted on 01908 660966 / 01604 828282 or by email at /
