Personal Data and the GDPR
When the General Data Protection Regulation (GDPR) is implemented in May 2018, consent for employers to access and use data will have to be freely given by employees and that consent must be specific, informed and revocable. The GDPR expressly states that, where there is an imbalance of power between the party giving consent and the party receiving it, consent will not be valid. In an employment context, it has long been acknowledged that there is such an imbalance between employer and employee.
The legal grounds for processing some categories of personal data will remain straightforward. For example, employers have to process employees’ bank account data to pay their salaries, and their sickness absence data to enable statutory sick pay.
But there are limits on how far employers can legitimately extend their interests. If an employer uses a data loss prevention tool to monitor employees’ outgoing emails automatically to prevent unauthorised transmission of proprietary data, it will need to ensure the system’s rules are fully transparent to employees; they must also be warned in advance if the tool recognises an email to be sent as a possible data breach, giving the sender the option to cancel it.
Employers need to review their template employee documentation such as employment contracts and ensure that any employee consent to access, monitor or pass on data is expressly given and not implied as part of the contractual terms.