GDPR – Issues for Employers

News /

The GDPR will necessitate various changes for employers as regards their employee data collection and processing activities. In particular, employers should be aware of, and prepare for, the following revisions to the current data protection regime.

Restrictions on consent

At present, many employers justify processing personal data on the basis of employee consent, usually contained in the contract of employment. This approach has been criticised because consent may not be freely given due to the power imbalance in the employer-employee relationship.

The GDPR sets out more stringent and detailed conditions for the use of consent - it must be freely given, specific, informed and unambiguous.   Consent obtained in the employment contract is unlikely to be effective. Going forwards, employers will generally need to rely on one of the other legal grounds to process personal data, for example that it is necessary to fulfil a contractual or legal obligation. 

More detailed privacy notices

Under the GDPR, employers will need to provide more detailed information in their privacy notices, including for how long the data will be stored, if that data will be transferred to other countries, and information on the range of employee rights regarding their data, such as subject access requests, deletion and rectification. This information must be concise, transparent, easily accessible and given in plain language. Employers will need to review current privacy notices and update them to comply with these more detailed requirements.

Data breach notification requirements

The GDPR requires mandatory breach reporting. Where there has been a data breach, the employer will have to notify and provide certain information to the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified.  Businesses will need to implement a data breach response process and train key personnel to recognise and address data breaches. 

Changes to subject access requests

The time limit for responding to a subject access request (previously 40 days) has been reduced to one month (which can be extended up to two additional months where the request is complex).  In addition, the £10 fee is to be removed (though employers can request a reasonable fee where the request is manifestly unfounded or excessive). Policies and standard form documents for responding to subject access requests will need to be updated and personnel will need to be trained in the new regime. 

Other Data Subject Rights

Employees will have increased rights to have data rectified or deleted and object to certain processing. They will also have a right of data portability (to transfer personal data between data controllers). Employers should ensure relevant personnel understand the rights and implement appropriate procedures for dealing with them.

Relationships with data processors

Employee data will often be processed by third party providers, such as payroll companies or cloud service providers.  Data processors will have a duty to comply with the GDPR, with potential liability if they fail to do so.  Employers may need to review their contracts with service providers who will be processing employee data and consider imposing stricter requirements and indemnity provisions.

Automated decision making

Employees have the right not to be subjected to automated decision making, for example, for performance management thresholds and triggers for sickness absence and/or attendance bonuses.  Employers will need to consider alternative mechanisms for making these decisions.

Businesses will need a business-wide strategy as to how compliance with the GDPR will be achieved and employment data is likely to form a considerable part of that strategy in most businesses Employers will need to comply and demonstrate compliance and this will necessitate having appropriate policies in place, keeping records, and having clear lines of responsibility and training for staff.

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500