Who is covered by the General Data Protection Regulation (GDPR)?
If a company has EU-based employees whose behaviour it “monitors” (see below) it will need to take steps to ensure that it is compliant with the GDPR when it comes into force in May 2018. “Monitoring” in an employment context is not defined in the GDPR itself but is likely to cover the tracking of employees’ activities in order to take disciplinary, performance or other employment-related actions in respect of them. In reality, given the technologies most employers will require EU-based employees to use in the workplace, most employers with EU-based employees are likely to be tracking the behaviour of their employees and therefore covered by the GDPR. This means that companies based outside the EU will need to comply with the GDPR in respect of their EU-based employees, even though they may have no corporate presence there. Such companies must appoint an EU representative established in one of the EU Member States where they have EU-based employees.
What do employers need to do?
Although the structure and concepts in the GDPR will in some respects be familiar to employers (because they reflect current requirements under the existing law), there are some key changes. The most important of these is the restriction on the use of consent in the context of the employment relationship.
Can employers rely on employees’ consent to process their data?
Currently, many companies rely on employees’ consent to process their personal data and short consents are often included in the employment contract. However, under the GDPR, for consents to be valid it must be freely-given, specific, informed and revocable. The GDPR states that, given the imbalance of power between employer and employee, employees can only give free consent in exceptional circumstances. In reality, it will be very difficult for employers to rely on consent to process employees’ personal data.
What should employers do instead of relying on employees’ consent?
Consent is only one of a number of potential legal bases for processing employee data. Alternative legal bases include processing being:
- necessary for the performance of the employment contract. This would cover, e.g., employees’ bank account data which the employer requires to pay employees
- required by law. This would cover, e.g., processing of sickness absence data to facilitate the payment of statutory sick pay in the UK
- in the employer’s legitimate interests which outweigh the general privacy rights of employees. This is potentially much wider in scope and will assume much greater prominence under the GDPR
What steps should employers be taking to comply with the GDPR?
Companies should review their template employee documentation such as employment contracts and any free-standing employee data processing consents. For both new hires and existing employees, we recommend that companies replace the consent language in these documents by new language referencing the alternative legal bases referred to above. For existing employees, companies should roll out employee data processing notices which refer to these alternative legal bases.
What are the potential sanctions for non-compliance?
Failure to comply with the GDPR can result in fines of up to €20 million or 4% of a company’s (or the entire group company’s) annual worldwide turnover. This is significantly higher than the current penalties available for non-compliance with the existing regime (e.g. fines of up to £500,000 in the UK).