Do employment contracts need amending under GDPR?

The implementation of the EU’s General Data Protection Regulation (GDPR) from 25th May 2018 has raised a number of administrative concerns from employers who are seeking full compliance with new data laws, especially due to the significant increase in penalties for non-compliance. A common question is whether GDPR requires contracts of employment to be amended. With existing employees, each contract of employment is likely to make reference to processing of information under the Data Protection Act or outline that the employee provides their consent for various forms of data processing. Under GDPR, these blanket consent clauses are likely to be unenforceable due to the requirement for consent to be unambiguous, specific, informed and freely given. Rather than update each existing contract, employers can instead issue a GDPR compliant privacy notice to employees. The notice is used as a method of meeting the individual’s right to be informed and will also supersede any invalid and outdated clauses in the contract. The notice provides the employee with information about how their data is processed, including specifying the lawful bases for processing, whether data is shared, how long data will be retained for and the employee’s rights in relation to their personal data. Where new employees are issued contracts from the date of implementation, these can be updated versions in line with GDPR. The privacy notice should still be given to the employee, however as this is an simple way of providing the employee with full advice and guidance about what GDPR means for them and their personal data within the business. Alongside employment contracts, most employee handbooks will contain specific references to data protections rules and legislation. Additionally, a data protection policy may be in place to outline the current processes and procedures about the business’s use of data. Handbooks will need to be updated, either through inputting amendments into the existing handbook, creating new policies and clauses, or using a variation of terms letter to outline where specific wording or clauses are being overwritten. Once updated, the handbook needs to be reissued to all members of staff to ensure they have accessed and read the most up-to-date version. Making a formal note of the date this occurs and to whom the handbook is provided will be useful evidence if a dispute crops up in the future. Having each employee sign a notice stating they have received, read and understood each version of the handbook will also be a useful, although administratively burdensome, record.