GDPR: change how you process staff data

  • Data Protection
Peninsula Logo

Peninsula Group, HR and Health & Safety Experts

(Last updated )

Read our article: 'GDPR: change how you process staff data'. Contact us today for more information about our Employment Law, Health & Safety, and HR services.

General Data Protection Regulation (GDPR) is on its way, bringing big changes that come into effect on 25th May 2018. In particular, one will be choosing a legal ground to process staff’s personal data. So what does that mean in practice? Based on the current draft guidance, here we break it down for you. Getting consent from staff Pre-GDPR, getting staff consent to process personal information has been easy: add a catch-all clause in the contract or the company handbook, get them to sign it, get consent. Job done. That won’t be good enough anymore. GDPR states that your employees’ consent to data processing must be “freely given, specific, informed and unambiguous.” You must be clear and specific when getting the consent because your people must understand what they’re agreeing (or disagreeing) to. And remember, staff can withdraw consent at any time. When consent alone isn’t enough The Information Commissioner’s Office (the ICO) says that if you can’t give people a genuine choice in how you process their data, their consent is worthless. To explain further, if there’s a “clear imbalance” in the relationship between the data controller (most likely you) and the data subject (your employee), the consent isn’t reliable. Your staff may argue they felt forced into giving their consent because they feared losing their jobs. For example, say you want to start monitoring people at work. Your employees may agree because they feel like they have no other choice. That isn’t someone who freely gives you their consent. 3 more legal grounds to process data

  1. Performance of a contract, g. you’ll still need your employees’ bank details to pay them for the contractual work they do for you.
  2. Comply with legal obligations, g. the law may say you have to check criminal records.
  3. Legitimate interest. You must balance your legitimate business interests (most likely commercial benefit) with staff interests. A good example is privacy rights.

Monitoring employees’ email data could be a legitimate interest to make sure people are working. But you’ll have to prove it’s legitimate, and the data you store must be necessary and proportionate. 3 ways you must prepare

  1. Review how and where you process staff data and identify any legal basis for it.
  2. When you rely on staff consent, think about any processes you’ll need in place if someone withdraws consent.
  3. Assess whether you have the right balance between legitimate interest data processing and your employees’ rights. Think about how to avoid breaching anyone’s rights.

Bio: Alastair Brown is Chief Technical Officer of people management software company, BrightHR.


Got a question? Check whether we’ve already answered it for you…

Related articles

  • a young construction worker wearing PPE checking their phone


    Peninsula GroupHR and Health & Safety Experts
    • Business Advice
  • Someone pushing a trolley through a supermarket aisle


    Inflation falls to 8.7% but food prices remain high

    The rate of inflation dropped to 8.7% in April from 10.1% the previous month, the largest fall in inflation since the Bank of England began raising interest rates in 2021

    Peninsula GroupHR and Health & Safety Experts
    • Business Advice
  • A man in a wheelchair shaking hands with someone sat on their desk


    Was it discriminatory to not increase pay while on pay protection scheme?

    The employment tribunal had to decide whether it was an act of disability discrimination to fail to give a pay rise to an employee who was receiving guaranteed pay of 75% of salary during extended sickness absence.

    Peninsula GroupHR and Health & Safety Experts
    • Business Advice
Back to resource hub

Try Peninsula for free today

See for yourself why Peninsula is the UK’s favourite HR and health & safety provider. Tap below to unlock free advice, policies, e-learning, and more.

Sign up to our newsletter

Get the latest news & tips that matter most to your business in our monthly newsletter.

International sites

© 2023 Peninsula Business Services Limited. Registered Office: The Peninsula, Victoria Place, Manchester, M4 4FB. Registered in England and Wales No: 1702759. Peninsula Business Services Limited is authorised and regulated by the Financial Conduct Authority for the sale of non-investment insurance contracts.

ISO 27001 and 9001 accredited company.
The Sunday Times - Top Track 250.
Glassdoor 2018 Best Places To Work.