Okay, so you’re getting your data protection house in order, and now it’s time to think about your own workers, and what you need to do with them in relation to GDPR.
The good news is that, provided you aren’t doing anything devious with your workers’ personal data, you probably already have sufficient legal justification for processing the personal data of your employees and workers, without the need for additional consents.
The bad news is that your current contracts, policies and procedures will still be out of date from May 2018 (probably).
So, what do you need to do? Here are a few points to get you started:
• You need to put in place a transparent and understandable data protection policy and privacy notice for your employees and workers. This is easier said than done. Data protection is dry, technical and complex, while some of your workers may have only had a limited education. Part of your responsibility is to help ensure that all workers are enabled to understand your legal justification for processing their data, and what their rights are in respect of that data. The old long-winded legalistic data protection policies, which lawyers pored over for hours on end, may, sadly, need to be scrapped.
• Consents, where needed, cannot be buried in contracts or policies. They will need to be separate and distinct. They will also need to be focussed and clear in respect of what they relate to. You will, therefore, probably need to change the wording of your standard contracts of employment or engagement.
• You need to maintain a record of consents (if there are any) and provide an easy mechanism for workers to withdraw such consent whenever they wish.
• You should not seek consent for the processing of personal data where you have another legal justification for processing it – otherwise it might create a misleading impression for a worker in relation to their own rights (i.e. they might think they can withdraw consent, when they can’t).
• You must make sure that you only retain the personal data you need, for as long as you need it. You will need to have in place a transparent data retention policy and share that with your workers.
• While most of this will be handled by your HR team and covered in your staff handbook, you’ll need to think differently about how you deal with job applicants (who might not otherwise have access to your full policies). You might therefore decide to develop and implement a separate, recruitment specific, privacy notice and data protection policy for sharing with all job applicants (even speculative candidates).
• If you operate a candidate bank, you may need to obtain consent from some of those candidates if they have not freely given consent to your retaining their details for future opportunities.
• On a practical level, you will need to map and cleanse the personal data you hold relating to your workers and employees (and ex-workers and ex-employees) so you know what information you hold, and where you hold it.
• You will also need to look at how you secure that data, and make sure that appropriate procedures are implemented and followed so that personal data is only stored in the places and by the persons approved to do so, and that it is only processed for the permitted reasons.
• If you use an outsourced payroll provider, or you engage with any other external service providers with whom you share workers’ data, then you’ll need to ensure that you have appropriate data processing agreements in place.
Finally, it is worth bearing in mind that one size does not fit all when it comes down to data protection compliance under the GDPR. That means that you might need to do more than is outlined above to be compliant yourselves.