Are you at risk of an £18 million data protection fine? – Employee Consent and the GDPR

The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018. The GDPR will be applicable in the UK (regardless of Brexit) with derivative legislation replacing the Data Protection Act 1998.

The GDPR extends the scope of current data protection legislation. It also introduces changes to the way in which employers obtain consent to process employee data.

Businesses may process* a significant volume of employee personal data** when carrying out business functions. For example, employee personal data will be ‘processed’ for the purposes of payroll administration, performance reviews, and training and development to name but a few.

What is Processing?

Processing means carrying out any of the following: collecting, recording, organising, storing, using, disclosing, disseminating.

What is Personal Data?

Article 4(1) of the GDPR defines personal data as information relating to an identified or identifiable person. The definition of personal data includes (but is not limited to) name, address, email address, telephone numbers, bank account details i.e. it covers much of the data that employers hold about their employees. There is further category of protected data: sensitive personal data. Sensitive personal data is subject to additional rules in connection with data processing. It includes (but is not limited to) information about racial or ethnic origin, political opinions and religious beliefs.

When is processing of Personal Data Lawful?

Under the GDPR, organisations must have a legal justification for the processing of personal data (including data relating to their employees). Such justification may be based upon employee consent.

What is needed for Employee Consent?

In order to rely upon employee consent as a justification for processing of personal data, employers must demonstrate that the consent was:

• specific and informed;
• freely given; and
• unambiguous

Under the new legislation, the Information Commissioner’s Office will have increased powers to enforce data protection breaches. This includes the ability to issue significant financial penalties. A data protection breach could be a costly mistake for your business and therefore it is essential to take timely advice on compliance.

Poole Alcock is running a series of seminars and bespoke training on compliance with the GDPR and related legislation: if you would like further information about either of these please contact Eve Lakin on 01270 619689 or at eve.lakin@poolealcock.co.uk.