GDPR and Employee Personal Data

Amidst the haze of GDPR headlines it can be easy to think that as a business you need only be concerned about the personal data of your clients and customers. However, under the General Data Protection Regulation (GDPR) which comes into force on 25^th May 2018, certain data about your employees will count as personal data too.

The GDPR is not intended to be a radical overhaul of data protection legislation but rather a strengthening of the rights enjoyed by data subjects (i.e. the people about whom you hold data). Employees will be data subjects and therefore will have the same entitlements enjoyed by any other data subject. Such rights include: the right to be informed about how, where and when their data is being processed, the right to make a subject access request; and the right to request erasure of their data in certain circumstances.

As well as strengthening data subjects’ rights, the GDPR also changes the lawful bases upon which you can process data. Before you can process (think collect, store, transfer, delete etc.) personal data you must identify a lawful justification for processing. If your processing cannot be justified on one of six bases appearing in the GDPR, processing will be unlawful. One such lawful basis is that the processing is necessary for the performance of a contract with the data subject. This may seem like the obvious justification for processing your employees’ personal data. You must consider carefully your processing activities and decide whether it is truly necessary for the employment relationship. Your lawful justification will need to be communicated to your employees (usually by way of a privacy notice).

What should you do as an employer?

The GDPR is unlikely to significantly change the substance of your relationship with your employees. However, it is very likely that in order to be technically compliant with the GDPR you will need to make a number of changes to your employment contracts and workplace policies.

If your employment documentation needs a review or redraft, or if you require advice about any aspect of the GDPR, please contact Eve Lakin via eve.lakin@poolealcock.co.uk or on 01270 619689. Alternatively, please visit our Employment services page here or complete this form for a call back.