Handling employee data under new data protection laws

By David Edwards, senior associate, regulatory and compliance, Harrison Drury.

From the 25 May 2018, The General Data Protection Regulation and what will become the new Data Protection Act 2018, will form the UK’s new data protection framework.

Where consent is relied upon as a ground for the lawful processing of personal data, data controllers should be able to demonstrate that consent was given by the data subject, ie the employee.

Employers seeking to rely on consent as the lawful justification for processing confidential personal employee data must satisfy the following: Consent must be specific and informed Employees must have the right to withdraw consent Consent must be freely given Consent must be unambiguous and take the form of an affirmative action or statement For certain types of personal data processing, the consent must be explicit Privacy notices for employees

The GDPR requires employers to notify its data subjects about their personal data handling practices through a privacy notice. Employers should have a proactive approach to data processing.

Privacy notices are designed to sufficiently inform data subjects about how their employer collects, uses, stores, transfers and secures personal data.

Privacy notices can also seek to act as an education piece for employees. They advise employees about what will be done with their personal data and why – something which hasn’t always been a concept thoroughly considered by some employers.

Just like policies and procedures, privacy notices must be fit for purpose. Vague notices are of little assistance, and in actual fact, could encourage a sense of concern amongst employees if they are not sure as to what is being done with their personal data.

Whilst operating in the capacity of an employer, consider – why do we do what we do with personal data? Can you sufficiently justify why? Best practice approaches

Employers should begin to give sufficient consideration to how they obtain their employee’s consent, taking into account the following; Treat the consent to process personal data separate to other permissions The employer seeks separate consent for each personal data processing activity The employee consents freely Employees must know of their right to withdraw consent The organisation satisfies other information notice requirements The employer can demonstrate that it obtained valid consent

Whilst the government has advised that the new Data Protection Act 2018 will set out a number of exemptions from GDPR, employers should now be getting themselves familiar with the relevant provisions of the GDPR. In any event, employers should be well underway in terms of identifying what steps need to be taken with a view to becoming compliant with the GDPR.