Employment contracts and GDPR – are you compliant?

26 April 2018

Why change?

Many employers are not aware that their employment documents are out of date or that it is essential to implement new processes and policies to stay compliant with the new data protection legislation.

Employment documents, including contracts, need to be reviewed on a regular basis due to the dynamism of employment law and to ensure all suitable clauses are included. This will become even more significant from 25th of May, when GDPR comes into force and any breaches will potentially be more heavily fined.

Basis for Processing or Consent?

There are 5 main lawful bases for processing;

  1. Contract
  2. Legal Obligation
  3. Vital Interests
  4. Public Task
  5. Legitimate Interests

If the reason for processing does not fit any of these 5 criteria, then you will need to obtain specific consent.

Equally, if you are processing sensitive personal data, and many will be caught by the fact that this includes health details, you will also need to obtain specific consent.  

Under the GDPR, consent in relation to personal data must be “freely given, specific, informed, unambiguous, and revocable”. Any consent subjected to imbalance of power between the data subject (employee) and the data processor (employer) will become invalid. Equally, historic contract clauses which detailed implied consent will not be valid.  

It would be advisable for employers to incorporate new data protection clauses within employment contacts or check that existing clauses remain relevant.

Contracts are changed, then what?

You need to ensure GDPR compliance across all HR related policies and processes. To identify gaps and effectively plan all those changes, employers can take the following steps:

  • Conduct a GDPR audit
  • Review third-party contracts with data processors (such as HR service providers – cloud based employee data software services, insurance companies, outsourced payroll and employee benefit programme services)
  • Ensure your recruitment processes are also reviewed
  • Implement new or revise existing policies (Data Protection Policy, Data Retention and Disposal policy, Subject Access Requests, Information Security policy, Privacy Policies)
  • Ensure correct process for Notification and Response to a Personal Data Breach

Aspire Comment

Compliance with GDPR may appear to be overwhelming and extremely extensive. Aspire can identify compliance gaps within your business and provide a comprehensive report on recommendations, as well as action them. Whether it be drafting relevant documents or communication and training for your workforce.

Latest News

Apr

23

Spotlight 64- Warning for employment agencies using umbrella companies

On 22nd April 2024 HMRC published Spotlight 64 which gives guidance for employment agencies that use umbrella companies.

Find out more
Apr

18

Mini Umbrella Appeal Judgement

The Judgement of Elphysic Limited & Others v The Commissioners for His Majesty’s Revenue and Customs was released earlier this week (albeit the Judgement date was 27 March 2024)

Find out more
Apr

18

Tackling non-compliance in the umbrella company market

Following the publication of a consultation in June 2023, HMRC have published a policy paper that states they will publish a response to the consultation in due course.

Find out more

Seneca House
Buntsford Park Road
Bromsgrove
Worcestershire
B60 3DX

0121 445 6178
enquire@aspirepartnership.co.uk