A recent SD Worx survey of 1,800 HR and payroll professionals revealed that 44% still don’t know what the General Data Protection Regulation (GDPR) is. And of the 56% who are aware of it, nearly one fifth (19%) don’t think they’ll be ready for the 25th May 2018 deadline for GDPR compliance.
Quoted in People Management, Jeff Jonas, CEO of software technology firm Senzing, said: “Many businesses appear to be sleepwalking towards a GDPR abyss.”
For HR teams only now getting to grips with the GDPR, one of the key areas they need to understand is lawful processing. Under the GDPR, companies must provide a lawful purpose for each time they process employee data. The rules behind this are much stricter than with the current Data Protection Act.
Consent as a lawful purpose
The employee’s consent remains applicable as a lawful purpose for processing their data, however HR can’t rely on consent alone. Why? Because consent must be “unambiguous” and “freely given”.
Consent must prove “unambiguous” to the extent that employees must clearly understand what personal data is being held or processed and why. For example, your existing policies and contracts most likely contain a short paragraph saying that the individual acknowledges that you will store their personal and sensitive data and that they agree to the processing. This is no longer good enough. Under the GDPR, companies need to seek permission for processing each data type, and for each specific purpose. Furthermore, consent needs to be regularly updated, and can be withdrawn at any time.
Then there’s the question of consent that’s “freely given”. Employees rely on the business to pay their salaries and continue their employment, so doubt could be raised as to whether an individual felt obliged or pressured into giving consent.
So, let’s look at better options.
Alternative purposes for lawfully processing personal data under the GDPR
There are far stronger reasons than consent for the lawful processing of employee data. An employer can also claim that the processing is:
- In their (the data controller’s) legitimate interests
- Necessary for the performance of a contract
- Compliant with a legal obligation
- Protecting the vital interests of the data subject
- Necessary for performance of a task carried out in the public interest
For example, if you can’t process an employee’s records and bank account details, how can you pay them for the work they’ve done? Under your employment contract, you’re legally obliged to pay the employee, so you can easily tick off two of the six lawful purposes for that particular process.
To help HR teams prepare for GDPR, Me Learning has developed a suite of training courses. Click here to find out which works best for your business.