Post a comment
Print articleEmployers: Are you GDPR ready?
April, 2018 - Duncan Inverarity
In our GDPR for Employers guide, we look at the key areas where employers will need to implement change and how to manage the impact of these regulations on the business. These areas include:
- Consent
- Privacy Notices
- Data Subject Access Requests (DSARs)
- Security Obligations
- The Final Countdown - HR To-Do List
Click to View the GDPR for EmployersGuide
The EU General Data Protection Regulation (GDPR) introduces substantial changes to data protection law which will impact the employer/employee relationship once it comes into force on the 25 May 2018. One area that will be impacted is reliance by the employer on the employee’s consent to process their data. It is common practice for employment contracts to include a blanket consent provision under the heading “data protection”. Typically this will provide that the employee consents to the use and processing of their data under the contract (e.g. transfer of data overseas, monitoring, disclosure of sensitive personal data to third parties and the sharing of information with a wide variety of partners for payroll, insurance and health related purposes). It is unlikely that this form of consent will be held to be effective once the GDPR comes into operation and even if it is, employees have a right to withdraw their consent at any time.
If you as an employer want to rely on consent as the basis on which to process an employees’ data, the employees’ consent should be separate from the contract or, if contained within the employment contract, it should be clearly distinguishable from other aspects of the document and a separate signature box is required. Employees will have a stronger right to have their data deleted where consent is relied on as a legal basis for processing. Prior to giving consent, employees must be told of their right to withdraw consent at any time and it must be easy for them to do so (i.e. allowing consent to be withdrawn in the same medium in which it was obtained, such as via a website or email). For these reasons an employer should look for an alternative legal basis for processing in the first instance so that if consent is withdrawn the employer is not prohibited from processing personal data.
For more information in relation to the above please contacta member of theA&L Goodbody Employment team at A&L Goodbody.
