GDPR: change how you process staff data

General Data Protection Regulation (GDPR) is on its way, bringing big changes that come into effect on 25th May 2018. In particular, one will be choosing a legal ground to process staff’s personal data. So what does that mean in practice? Based on the current draft guidance, here we break it down for you. Getting consent from staff Pre-GDPR, getting staff consent to process personal information has been easy: add a catch-all clause in the contract or the company handbook, get them to sign it, get consent. Job done. That won’t be good enough anymore. GDPR states that your employees’ consent to data processing must be “freely given, specific, informed and unambiguous.” You must be clear and specific when getting the consent because your people must understand what they’re agreeing (or disagreeing) to. And remember, staff can withdraw consent at any time. When consent alone isn’t enough The Information Commissioner’s Office (the ICO) says that if you can’t give people a genuine choice in how you process their data, their consent is worthless. To explain further, if there’s a “clear imbalance” in the relationship between the data controller (most likely you) and the data subject (your employee), the consent isn’t reliable. Your staff may argue they felt forced into giving their consent because they feared losing their jobs. For example, say you want to start monitoring people at work. Your employees may agree because they feel like they have no other choice. That isn’t someone who freely gives you their consent. 3 more legal grounds to process data

1. Performance of a contract, g. you’ll still need your employees’ bank details to pay them for the contractual work they do for you.
2. Comply with legal obligations, g. the law may say you have to check criminal records.
3. Legitimate interest. You must balance your legitimate business interests (most likely commercial benefit) with staff interests. A good example is privacy rights.

Monitoring employees’ email data could be a legitimate interest to make sure people are working. But you’ll have to prove it’s legitimate, and the data you store must be necessary and proportionate. 3 ways you must prepare

1. Review how and where you process staff data and identify any legal basis for it.
2. When you rely on staff consent, think about any processes you’ll need in place if someone withdraws consent.
3. Assess whether you have the right balance between legitimate interest data processing and your employees’ rights. Think about how to avoid breaching anyone’s rights.

Bio: Alastair Brown is Chief Technical Officer of people management software company, BrightHR.