GDPR: The implications for Employers
25 May 2017
Author: Sarah Cochrane
The General Data Protection Regulation (GDPR) will replace the Data Protection Directive 1995 from May 2018. Our previous articles in this series have looked at some of the new concepts introduced by the GDPR, the practicalities of implementing it and timing difficulties created by Brexit. In this final article in the series, we consider some of the key issues which employers will need to be aware of and plan for accordingly in advance of the GDPR going live.
More extensive obligations
The GDPR provides for a more extensive set of obligations, with greater restrictions on staff data-processing overall, less flexibility for employers when it comes to risk-based decisions on compliance and higher potential liability for non-compliance.
The intention is for the GDPR to generally facilitate a more unified approach to data protection across member states. However, harmonisation may not be as complete as one might expect as the GDPR also permits Member States to enact additional controls at national level to protect employee data.
Data protection officers
For those obliged to do so, the appointment of data protection officers could prove difficult and highly competitive.
Limits on consent
The employer’s ability to rely on employee consent for processing will be restricted significantly by a requirement for more in-depth data protection notices, detailing the scope of the consent and a more restricted interpretation of “consent”, the latter being intended to prevent undue influence.
GDPR sets higher standards around the nature of the employee data which employers can retain and for how long so organisational retention policies are likely to require revision.
Processing without consent
GDPR restricts the ability of employers to rely on “legitimate” interest to override individual consent – going forward any such alleged interests will have to be spelt out in a more detailed privacy notice in advance.
As outlined above, the new regime will introduce some substantial changes which employers will need to carefully plan for. Whilst the full impact of GDPR remains to be seen.
May 2018 may seem like a long way off but the implications of GDPR for some employers could be extensive and those who start putting their house in order now are likely to fair better than those who don’t.
For more information on any of the matters detailed above or for general advice on or assistance with the new GDPR, please contact Dawn McKnight [email protected]. Dawn is a Partner at Carson McDowell and is head of the firm’s Commercial Practice.