GDPR: Preparing for Change! What do Employers and HR teams need to know?
Part 4: Employee monitoring under the GDPR
The General Data Protection Regulation (GDPR) will be enforceable as of May 2018 and will impact the day-to-day activities of HR teams and employers on a wide scale. In part 4 of our series on the GDPR and what it means for employers, we focus on the controversial topic of employee monitoring, and how this will be effected under the GDPR.
Employee monitoring is likely to be more difficult under the GDPR
The General Data Protection Regulation (GDPR) will apply from 25 May 2018, and while it does not expressly change the rules on employee monitoring, it may make monitoring more difficult for employers.
(1) Legal basis (condition) for monitoring
As discussed more fully in the third of our blog-series, valid consent will be difficult to obtain for processing HR data, especially in relation to sensitive personal data. We therefore recommend that organisations seek to rely on another legal basis for processing data, such as legitimate interests or contractual necessity.
Quick recap: Under the GDPR, consent must be “freely given, specific, informed and an unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“. Given the imbalance of power between employees and employers, it will be difficult for consent to be freely given which means it is unlikely to provide a valid basis for processing in relation to employment matters and indeed the ICO provides this as an example of an imbalance of power in its draft guidance on consent and the GDPR (available here).
Where HR teams monitor employee use of IT systems for data security reasons, they would not want to rely on consent, or seek to obtain it, in case it is withheld. Instead, employers will need to consider justifying monitoring on alternative legal bases such as (i) legitimate interests based on the reasons for the monitoring, or (ii) legal obligations to maintain the security of the employee data held. But hold on, just because there may be a legal obligation, you must comply with additional measures.
(2) Privacy by Design and PIAs
A privacy impact assessment (PIA) is an assessment to identify and minimise non-compliance risks. The GDPR requires employers to conduct a privacy impact assessment, prior to processing, when processing is considered likely to result in a high risk to the rights and freedoms of the individual, for example, where an organisation is considering the implementation of an online HR system for staff. This assessment will ensure the employer is aware of the privacy risks at the outset of implementation and can take steps to reduce the impact a system will have on privacy.
Quick recap: Please also see the second part of our blog-series for more information on privacy by design and PIAs.
It is likely that employee monitoring is a form of high-risk processing which will require that a PIA be undertaken and documented by employers. If the PIA outcome shows there is a high, and unmitigated, risk for the employees, the employer must notify the national data protection authority (the ICO in the UK) and seek advice on the adequacy of any measures intended to reduce the risks as set out in the PIA.
So, how can employers prepare?
- Review your policies, handbooks and employment contracts to determine what legal basis your organisation relies on for employee monitoring.
- Carry out a PIA prior to any employee monitoring – highlight the benefits and risks to the organisation of that monitoring, and ensure these benefits/risks are justified and balanced with employee rights.
- Consider alternative ways to meet business objectives which could reduce the risk of any breach under the GDPR – and document the assessment.
- Read our blogs and seek guidance when implementing new measures!
Read our previous blogs in this series:
Contact our Specialist Compliance and Regulatory Lawyers
MacRoberts’ team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.