GDPR and employment law - If employees cannot consent, how can you process their data?
In a previous blog, we looked at the impact of the General Data Protection Regulation (GDPR) on employee consent as a valid processing ground, and how it is, in effect, nullified under the new rules at least so far as the employment relationship is concerned because of the power imbalance between employer and employee.
So, if consent is no longer valid in the employment context, what do employers need to do to ensure that they can process employees’ personal data and sensitive personal data without falling foul of the law on data protection?
Valid processing grounds for employers dealing with employee data
Any of the following could present a legitimate processing ground in the employment context:
- Performance of a Contract: Employment relationships are generally based on a contract of employment. Inevitably, for an employer to meet obligations under that contract (such as paying the employee and providing or administering benefits) it will need to process personal data.
- Legal Obligation: There are various legal obligations on an employer that require the processing of personal data – for example, the obligation to deduct tax and National Insurance Contributions at source for onward transmission to HMRC.
- Legitimate Interest: This requires that both the purpose and method of processing are necessary to satisfy a legitimate interest of the employer. For example, it may be necessary for an employer that is part of a group of companies where employee administration is undertaken by a different, shared services company in the group, to transfer employee data to the shared services company in order for the employer to meet their obligations to the employee. However, the processing must be proportionate to the business need or purpose that it is intended to address – so whilst it is likely to be acceptable to transfer the data to a shared services company, for example, it may not be appropriate to disseminate information more widely in the group without good reason. Where data is to be transferred outside of the EEA, international transfer requirements will still apply.
Legitimate Interest – some areas for consideration
The employer must ensure that the balance between their legitimate interest and the fundamental rights and freedoms of their employees is preserved. In essence, this requires employers to take a step back and identify:
- The legitimate interests on which they rely to process the data;
- What processing is actually necessary to meet those interests;
- What methods they propose to use and whether they are the most appropriate and least intrusive way of meeting the legitimate interest.
Employers will need to think carefully about the expectations of their employees in respect of the processing and how these can best be managed, and will need to ensure that the balancing exercise they have undertaken is carefully documented. The GDPR has an expectation that employers will be able to demonstrate not just what they have done to comply with the data protection principles, but how they have done this and any evidence of the process followed (as well as the output in the form of robust policies detailing how personal and sensitive personal data is to be dealt with) will be useful in ensuring compliance with this requirement.
An employer has specific and detailed obligations under the GDPR to provide information about processing grounds to employees. This must be done before or at the point at which the employee’s data is collected for processing and must include the purposes of and legal basis for the processing, and where legitimate interest is the ground relied upon, the interest must be specifically detailed in the information notice. This obligation is new, and is likely to require careful thought on the part of an employer to ensure that the information is properly documented and accurate. It will also need to be regularly reviewed to ensure it is kept up to date as circumstances change because companies will not be able to retrospectively rely on a ground that was not described at the time the data was collected.
Right to Object
An employee has a right to object to processing on the grounds of legitimate interests at any time (watch this space for a future blog giving further detail on individual rights under the GDPR). Once an objection is made, the burden is on the employer to demonstrate grounds for continuing the processing that are sufficiently compelling to override the interests, rights and freedoms of the employee.
What should you be doing now?
Employers should be reviewing the basis on which they process data to ensure that they are clear on whether their processing grounds will remain valid in the post-GDPR world. The basis for processing data will need to be clearly communicated to employees in easy to understand information notices, and companies will not be able to do this if they are not clear on what they are doing and why. There is still time to future proof your organisation – but please get in touch with Clayden Law and mpm legal in plenty of time before May 2018 to ensure you are ahead of the game!
- Review employment contracts and HR policies to understand the current data protection consent arrangements.
- Audit HR data – why do you currently process data and what processing conditions do you rely upon?
- Decide the processing conditions you will rely upon under the GDPR regime.
- Amend employment contracts and HR policies and processes to reflect the new world under the GDPR.
- Ensure appropriate communications and training are given to HR and any other staff who deal with employee data so that you are ready to hit the ground running in May next year.
mpm legal is an employment law boutique that offers a refreshing alternative to traditional law firms. We like to build lasting partnerships with our clients and pride ourselves on delivering advice which is pragmatic, clear and cost-effective.
Sarah Wilder started her career at a City law firm, before spending almost a decade as an in-house employment lawyer first at Barclays Bank and then at Coca-Cola Enterprises. Sarah has been part of the team at mpm since July 2016 and offers advice to corporate clients across a variety of sectors, as well as to individuals.