One of the biggest sea changes to data protection law in 20 years will take effect on 25 May 2018 when the General Data Protection Regulations, or GDPR, begins to apply. This new European legislation will have a wide-ranging impact on the way in which businesses handle data of customers and clients. The GDPR will have particular significance for employers who will have to think carefully about how they handle all data relating to their employees. This article provides five key steps employers can take now to prepare for the introduction of the GDPR.

1 Audit your data

As a starting point, you should determine what personal data you hold on employees, where it came from and who you share it with. ‘Personal data’ covers an employee’s name, address, date of birth, salary and any other data from which the employee can be identified.

2 Review your consent procedures

The GDPR introduces more stringent rules standard around consent which require consent to be freely given, specific, informed and unambiguous. In practice this means that consent must be capable of being verified, given by a positive opt-in, separate from other terms and conditions, capable of being easily withdrawn, and cannot be inferred from silence, pre-ticked boxes or inactivity.

Most employers currently use wide-ranging consents which are often buried away in employment contracts. Unfortunately this type of consent will no longer be sufficient. You will need to either obtain new, GDPR-compliant consent or consider alternatives to consent.

3 Identify the best legal reason for processing employee data

Most employers typically rely on consent as their go-to reason for processing an employee’s data. However, there are other lawful reasons that can be equally appropriate and more convenient to rely on.

Such alternative reasons include a requirement to perform an obligation under the employment contract, e.g. to pay the employee’s salary. Another pertinent reason is to comply with a legal obligation, such as submitting tax returns to HMRC. A useful reason for processing personal data is to comply with the employer’s legitimate interests. This catch-all categories can cover a wide range of activities.

In advance of the GDPR taking effect, you should review the various types of processing activities you carry out and identify the appropriate legal reason under the GDPR for carrying out each type of activity.

4 Prepare privacy notices

Under the GDPR, when you collect an employee’s personal data you will now need to give them certain information on how you intend to use their data. This is in keeping with the ‘transparency principle’ which is a key component of the GDPR. Privacy notices must be provided free of charge in a form that is concise, intelligible, easily accessible, and written in clear language.

5 Review your data breach procedure

With the GDPR comes a new obligation to report to the Information Commissioner’s Office within 72 hours any breach that could result in a risk to an individual’s rights and freedoms. Examples are breaches that could result in discrimination, damage to reputation, loss of confidentiality, financial loss, or any other significant economic or social disadvantage. If the data breach is likely to cause high risk to an employee’s rights and freedoms, you will have to notify the affected employee without undue delay. You should therefore ensure you have appropriate procedures in place so you can detect, report and investigate any breach involving personal data.

Illustration: “GDPR” by Flikr user forester401 used under Creative Commons Attribution 2.0 licence