As part of their GDPR 12 month countdown series, the Taylor Vinters HR GDPR team look at which employment-related documents will need to be reviewed (or implemented if they don't already exist) as part of an employer's journey towards GDPR compliance.

With 2017 drawing to a close, many HR professionals are starting to consider the practical impact of the GDPR on HR procedures, policies and other documentation. Whilst certain employers may have already started to consider what changes will be required, our experience is that there is still some uncertainty about how HR documentation should be amended, or indeed drafted for the first time.

How does an employer know where to start?

The answer to this question will largely depend on the results of any HR Data Audit that the employer has already carried out. Without this information it is very difficult to assess whether the HR-related procedures and documentation which are currently in place, will be compliant under the GDPR.

However, it is highly likely that one of the first remedial steps will be to consider the lawful basis upon which HR data will be processed under the GDPR, as this information will be a key component of a number of employment-related documents.

Most employers currently rely on "consent" as the lawful ground upon which they process data. Whilst this will remain a lawful ground for processing data under the GDPR, where consent is used, it will be subject to much stricter thresholds. With effect from May next year, any consent must be "freely given, specific, informed and unambiguous" and "clearly distinguishable." Further it is important that it should be as easy for an individual to withdraw their consent as it was to provide it in the first place.

In light of these strict requirements, it will be very difficult to establish that an employee's consent is genuinely "freely given" in the context of the employment relationship, due to the unequal bargaining power of the parties and the employee's genuine ability to refuse to give consent. There may well be very specific one-off circumstances where consent can be relied upon in this context but employers should consider it as a last resort.

As such, employers will need to consider which of the other lawful grounds for processing data may be relevant to its processing of HR data. In the context of handling employee data, it may very well be the case that the processing activity will be "necessary for the performance of a contract" (for example it will be necessary to process an employee's data, to pay that employee under the employment contract) or because the processing is necessary for "compliance with a legal obligation" (for example certain data will need to be processed make to social security payments such as statutory sick pay or maternity pay).

Alternatively, where an appropriate assessment is carried out by the employer, there may also be scope to rely on the ground that the processing activity is necessary for the purposes of "legitimate interests" pursued by the business (for example, employers need next of kin contact details in case of an emergency).

Will employment contracts need to be amended?

Many employers currently rely on "blanket" consent clauses contained within the employment contract. In light of the changed requirements for consent to be valid, it is likely that any such consent provisions will no longer be valid and should be removed from employment contracts.

Notwithstanding the above, our recommendation is that it will still be sensible for employers to include a revised data protection clause in their contracts. Amongst other things this will serve as a notification to employees that they must comply with the company's policies in relation to data protection whenever they are handling personal data in their work. The contract should also notify the employees that full details about the data that the company is processing about them, is contained in a separate Privacy Notice – Privacy Notices will be the key focus of our next Countdown article.

Will it be necessary to introduce other HR data-related policies and procedures?

As part of an employer's ongoing GDPR compliance programme, it is recommended that the following policies and procedures are developed and implemented:

  • Data Retention and Disposal policy – A core principle of the GDPR is that data should not be retained for longer than is reasonably necessary to enable the processing for which that data was obtained to take place ("storage limitation"). Employers will therefore need to be able to demonstrate that data is retained for an appropriate period. A key way to demonstrate that thought has been given to this matter is to develop a policy that provides guidelines in relation to appropriate retention periods for certain HR documents. This will likely include details about the measures that the employer is taking to ensure the security of that data both during the period whilst it is retained and in relation to the manner in which it is "disposed".
  • Subject Access Requests ("SAR") policy – Certain rules relating to SARs will be changing under the GDPR. The changes should be documented in a revised policy so that those involved in handling such requests are aware of the new rules, including revised time periods for responding to SARs, the increased information that must be provided to employees making a SAR, the extent of the search, and the new provisions relating to payment of fees. Beyond ensuring that the new SAR procedure complies with the text of the GDPR, any new procedure is likely to include at least one meeting with the person making the SAR to clarify the scope of the SAR and discuss relevant arrangements for responding. The policy is also likely to reserve the employer's right (in appropriate circumstances only) to extend the deadline for responding to a SAR and potentially charging a fee (or not responding to a SAR at all).
  • Personal Data Breach Notification and Response plan – The GDPR will mean new mandatory data breach reporting obligations as set out in our recent article. Employers will need an appropriate procedure in place to ensure that personal data breaches are handled consistently and correctly across the organisation and that (amongst other things) staff know what to do should they become aware of such a breach.
  • Legitimate Interests policy – As outlined above, one of the potentially lawful grounds for processing personal data arises where the processing is necessary for the purposes of the legitimate interests of the employer. When relying on this ground, employers should have a clear and documented process in place for assessing whether in any particular circumstance; it can validly rely on this ground. Accordingly a policy which sets out some typical legitimate interests of the employer is highly recommended. This will also detail the process that the employer will follow to ensure in relation to any new processing activities, that (on balance) any such legitimate interests do not override by the rights and freedoms of the employee. The documentation aspect of this is essential to comply with the new GDPR principle of accountability i.e. being able to prove compliance if called upon by the ICO.

Next steps

Whilst compliance with the GDPR may seem like a daunting prospect, planning for this at an early stage is vital. Whilst the new regime will likely require a re-think of current employment processes and documentation, there is still time to consider what changes will be required and how and when you will look to implement these.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.