The General Data Protection Regulation (the “GDPR”) will, despite Brexit, override the Data Protection Act 1998 and come into force, without requiring any legislation to effect the same, on 25th May 2018. This will affect businesses and their employees upon its immediate implementation, and as such it is prudent to take careful consideration of what can be done now to ensure businesses are compliant.
The increasing fines of up to 20 million Euros or 4% of the global turnover of a business, whichever is the greater, are capturing the attention of many businesses now considering what steps they need to take in order to be compliant. These sums are significantly more punitive than the maximum of £500,000 under the existing law.
Not only will the GDPR apply to data processed on customers, it will also apply to data processed regarding the employees of a business. In particular, employers should consider the significant amount of data which is likely to be processed regarding employees, including:
- CCTV within or around the office;
- office access information;
- data on computer log on; and
- data on websites visited, telephone calls made and e-mails both sent and received.
- The unstructured nature of much of the data surrounding employees and the challenges this creates for an employer looking to be compliant.
One important area the GDPR highlights is the requirements around a data subject’s consent to the processing of their personal data. Consent must be:
- unambiguous, freely given, specific and informed;
- given by a statement or a clear affirmative action;
- as easy to withdraw as to give (and can be withdrawn at any time); and
- kept separate and distinct from other terms and conditions.
Employment contracts are usually offered on a ‘take it or leave it’ basis, with no real room for negotiation on behalf of the employee. As such, the entering into of an employment contract is unlikely to provide for consent being given freely. Under the GDPR, employers will no longer be able to obtain consent regarding the use of an employee’s personal data through terms contained in employment contracts unless the consent for data processing is presented separately to the other terms.
Specifically, employers should consider the following regarding employees:
review and ensure existing employees’ consents are given through affirmative actions;
-review existing employment contracts to ensure that consent given regarding data - processing is clearly distinguished from consent to the other terms of the contract;
- obtain new GDPR compliant consents; and
- ensure future consent given to process personal data is separate from consent to the terms of the employment agreement.
Clearly reading an article such as this is not a substitute for legal advice. Here at Franklins we are able to offer advice on and assistance in respect of the GDPR, how it will affect your business, what steps you should be taking now and how to ensure that your employees maintain the compliance of your business in the future.
Christopher Buck and Ben Stanton are Solicitors and Associate Partners with Franklins Solicitors LLP. Christopher is in the Corporate Commercial division and seeks to provide cost-effective solutions to businesses regarding the GDPR and other matters. Ben is in the Employment division and can assist with advice and guidance for both employers and employees.
They can be contacted on phone 01908 660966 / 01604 828282 or by email at
Christopher.Buck@franklins-sols.co.uk / Ben.Stanton@franklins-sols.co.uk.