POSTED: December 12 2017
Managing employee rights under GDPR

Managing employee rights under GDPR

Following on from advo’s recent overview of the impact of the new data protection regulations on business, we look at how employers should manage the changes with their staff.


Almost half (47%) of UK office workers don’t know whether their company is taking action to comply with the new European General Data Protection Regulation (GDPR), according to research from Fellowes. However, with the regulation intending to enhance individuals’ rights over their data, employers may want to consider how to manage GDPR in respect to employee data. All employers are essentially data controllers of employee personal data, which will require significant changes to the way HR manages this information.


Say farewell to the ‘tick box’

“It will no longer be sufficient for an employer to have a data protection policy and simply adopt a ‘tick box’ exercise in terms of compliance,” Richard Thomas, Employment Law Partner at Capital Law explains. There will need to be evidence that the employer has considered the individual’s rights under GDPR, weighed against the business needs for processing the personal data.

This means that standard blanket clauses contained in most contracts of employment will need to be reviewed as they won’t be sufficient consent for GDPR purposes, Steph Barber, Head of Legal Compliance at adds. “This will mean reviewing each contract of employment and determining what changes must be made.”


Ask yourself: Do I really need this data?

Thomas advises that throughout the process of identifying the data you need, to keep asking yourself: ‘What is the purpose for this processing?’ It’s also important to ensure that the processing intention is lawful. The most likely basis is that employee data satisfies a legitimate interest of the business or employee – for example, bank details. “It should not be difficult for an employer to be able to identify a potential legitimate interest which can be to do with its business operations,” reassures Thomas. “The question is whether the processing of personal data is then necessary to fulfil those legitimate interests. For example, processing of personal data in relation to a performance management or disciplinary hearing would clearly constitute legitimate interests for the employer.”

Once a lawful purpose for the processing has been identified, the employer can then notify all relevant persons in a Fair Processing Notice.


What’s a Fair Processing Notice?

Under GDPR, every employee will be entitled to receive clear notification concerning any processing of their personal data. The Fair Processing Notice must contain the following:

  • The identity and contact details of the Data Controller (usually the employer);
  • The purpose of the processing (including the legal basis);
  • The categories of data being processed and the details of any recipients of that data;
  • The retention period or the criteria being used to determine this retention period;
  • The existence of the data subject’s rights;
  • The individual’s right to lodge a complaint with the ICO.

This will need to be laid out for all employees and any other individuals relevant to HR. For example, in recruitment, an employer will need to explain how long they will keep a potential candidates’ personal data.


What about individual rights?

Aside from the right to be informed, GDPR also enhances individual rights such as:

  • The right of access to personal information (via Data Subject Access Requests);
  • The right to rectification of data;
  • The right to erasure or the ‘right to be forgotten’;
  • The right to object and/or restrict data processing

In particular for employees, these rights are not absolute, reassures José Alberto Rodríguez Ruiz, Global Data Protection Officer at Cornerstone OnDemand. “The GDPR balances user rights with valid lawful justification of data processing. Three specific examples can illustrate this. If my employer has misspelled my name, I have the right to have that rectified without delay. However, as long as I’m an active employee, and even for a few years after I have left, the company will need to keep my data and I can’t request for everything to be deleted, particularly when the company has a legal obligation to keep a copy of that data. Finally, as an employee I have a general right to access all of my data, but this is not an absolute right. For example, if a performance review process is still ongoing, I shall not have the right to access my information linked to that data until the process is completed.”

Thomas advises to adopt a risk management approach, including consideration as to how it will comply with any person seeking to assert their rights in a timely manner.


How long can I keep data?

One of the key data protection principles is that data is kept for no longer than necessary, meaning employers will have to introduce a data retention and removal policy, determining timescales. There will likely be different timescales for different data.

Thomas explains: “In relation to Employee PAYE and NI data this should be kept for seven years as HMRC have the ability to review this information going back seven years. Claims for breach of contract can be brought up to six years after dismissal so it would be prudent to hold on to an ex-employee’s contract of employment for six years. However, claims for unfair dismissal and discrimination usually must be brought within four months of dismissal so there may be no need to hold onto an ex-employee’s personal data after this point.”


Where should this be outlined?

“Under the accountability principle of the GDPR,” Ruiz says, “companies have to document how they comply with the new law, so HR policy would be part of that compliance documentation.”

He adds that HR should make the policy available to employees, alongside “a privacy policy, that outlines the company’s approach to privacy, data collected, use of the data and explaining how employees can exercise their rights.” Articles 13 and 14 of the GDPR list the minimum amount of information that data controllers have to provide to data subjects. Employers should also set up an internal process for their employees to raise requests, and for the HR department to have the opportunity to reply.



You can see advo’s article on the effect of GDPR on businesses here.


This article was first published in HR Grapevine magazine. You can see the original article here.