Why change?

Many employers are not aware that their employment documents are out of date or that it is essential to implement new processes and policies to stay compliant with the new data protection legislation.

Employment documents, including contracts, need to be reviewed on a regular basis due to the dynamism of employment law and to ensure all suitable clauses are included. This will become even more significant from 25th of May, when GDPR comes into force and any breaches will potentially be more heavily fined.

Basis for Processing or Consent?

There are 5 main lawful bases for processing;

  1. Contract
  2. Legal Obligation
  3. Vital Interests
  4. Public Task
  5. Legitimate Interests

If the reason for processing does not fit any of these 5 criteria, then you will need to obtain specific consent.

Equally, if you are processing sensitive personal data, and many will be caught by the fact that this includes health details, you will also need to obtain specific consent.

Under the GDPR, consent in relation to personal data must be “freely given, specific, informed, unambiguous, and revocable”. Any consent subjected to imbalance of power between the data subject (employee) and the data processor (employer) will become invalid. Equally, historic contract clauses which detailed implied consent will not be valid.

It would be advisable for employers to incorporate new data protection clauses within employment contacts or check that existing clauses remain relevant.

Contracts are changed, then what?

You need to ensure GDPR compliance across all HR related policies and processes. To identify gaps and effectively plan all those changes, employers can take the following steps:

  • Conduct a GDPR audit
  • Review third-party contracts with data processors (such as HR service providers – cloud based employee data software services, insurance companies, outsourced payroll and employee benefit programme services)
  • Ensure your recruitment processes are also reviewed
  • Implement new or revise existing policies (Data Protection Policy, Data Retention and Disposal policy, Subject Access Requests, Information Security policy, Privacy Policies)
  • Ensure correct process for Notification and Response to a Personal Data Breach

Aspire Comment

Compliance with GDPR may appear to be overwhelming and extremely extensive. Aspire can identify compliance gaps within your business and provide a comprehensive report on recommendations, as well as action them. Whether it be drafting relevant documents or communication and training for your workforce.

Minden U.K. Limited use Aspire Business Partnership LLP. This firm provide Minden U.K. Ltd with practical and commercially sound advice in relation to all aspects of compliance, business strategy and conflict resolution. Original article can be found on Aspire’s website: http://www.aspirepartnership.co.uk/News/3123/employment-contracts-and-gdpr-are-you-compliant