What Impact Does GDPR Have On HR?
Posted on 22nd April 2018 at 15:11
The General Data Protection Regulation (GDPR) is due to come into force in the UK on 25 May 2018. The aim of the GDPR, which replaces the current Data Protection Directive, is to establish a modern and harmonised data protection framework across the EU. I'm going to be looking at some questions being raised about this topic.
When can employers rely on employees' consent to process their data under the GDPR?
The circumstances in which employers can rely on employees' consent as the legal basis for processing their data are extremely limited under the General Data Protection Regulation (GDPR). This is because, for consent to be valid, it must be "freely given". The imbalance of power in the employment relationship means that this condition will rarely be met where the employer asks an employee for consent to process his or her personal data. Further, employees are free to withdraw their consent at any time, making it impractical for employers to use consent as the basis for their processing.
Employers should rely on consent only where no other legal basis for the processing applies (ie it is not necessary for the performance of a contract, compliance with a legal obligation or the employer's legitimate interests) and there will be no adverse consequences for an employee who refuses to provide consent.
For example, an employer may wish to publish a photograph on its intranet of an employee taking part in a charity event organised by the employer. This would constitute processing of the employee's personal data. The employer could ask the employee for his or her consent to publish the photograph on the understanding that, if he or she does not agree to this, the employer will use a different photograph and the employee will not suffer any consequences.
Another example of where it could be appropriate for an employer to rely on consent for processing personal data is where it runs employee networks with the aim of promoting workforce diversity, for example a network for LGBT employees or a network for employees with disabilities. Provided that the networks are run on an entirely voluntary basis, the employer could rely on consent as the basis for processing the data of employees who wish to be involved. There must be no negative consequences for employees who choose not to consent to their data being processed for that purpose. Consent is one of the conditions that an employer can rely on to process special category data such as information about an employee's health or sexual orientation.
If you need help with any aspect of GDPR and your workforce, please email firstname.lastname@example.org
Share this post: