In our last bulletin, we started to have a look at what the General Data Protection Regulation (“GDPR”) will mean for employers when it comes into force on 25 May 2018. In this bulletin we take a more detailed look at audits and consent.
Your preparation for the GDPR should start with an audit of all data held, who deals with it, with whom they share it, what is the justification for doing so and how long it will be held. This will be a cross-departmental project, involving not just HR, but also IT, marketing, compliance and all other parts of your organisation which process personal data.
Once the information has been collated and gathered, it will then need to be cross-checked and analysed before being set out in a comprehensive report setting out an action plan. As is always the case, the information coming out of an exercise is only as good as the information that was put in. Therefore, all relevant stakeholders across the business need a clear understanding of the project, the meaning of personal data (including automated data and images), the processes and procedures currently in place (including the operation of software packages) and the all-important reasons why data is being processed.
It’s always worth reminding people about the potential fines for non-compliance once the GDPR is in force – up to €20 million or 4% of global annual turnover (whichever is higher) in the event of default (not to mention damage to your corporate reputation).
If you engage with third party contractors (such as outsourced payroll providers, recruitment agencies, IT helpdesks or public relations agencies), you will need to consult with these organisations too, asking all the same questions to ensure you have a clear understanding or what happens to personal data in their hands.
As mentioned in our last article, it will become much harder to use consent as the basis for processing employees’ personal data as you wouldn’t want an employee to be able to withdraw consent where it would adversely affect the normal operation of your business. Where you have personnel management, marketing, organisational or regulatory reasons, it may not be necessary to rely on an employee’s consent to process their data and you would be better to rely upon one of the other legal bases. These are likely to be where it is necessary for the performance of the employment contract (eg auto-enrolment compliance) or pursuit of legitimate interests (eg contact details on your website).
However, consent may still be required where there is no legitimate reason for processing such data without employee consent. Examples might be including someone’s qualifications or favourite pastimes on their website biography. In these cases, you will have to obtain very specific consent for your particular activity.