29 September 2017

New law: Employers review employment contracts as new data protection law looms

Employers should be identifying and preparing to implement necessary changes to their employment contracts ahead of the impending General Data Protection Regulation (GDPR).

The GDPR is an EU Regulation that strengthens and unifies data protection for individuals within the EU, and regulates the export of personal data outside the EU. Its aim is to give citizens control over their personal data and simplify the regulatory environment for international business. It will replace the UK’s current data protection laws and is due to come into force on 25 May 2018. As it is an EU Regulation the GDPR has direct effect – there is no need for enabling UK law.

Much of the new law will be the same as existing UK data protection law but there are significant differences. One change is that the criteria for obtaining consent to use of data will be harder to satisfy. Consent will have to be freely given, specific to each use to which the data will be put, informed, unambiguous, distinguishable (ie. not hidden away in small print or boilerplate clauses) and easy to withdraw.

These requirements will require significant changes to the form such consents take in contracts of employment, and the surrounding processes and procedures (for example, the processes must allow for the withdrawal of consent, and provide for the consequences if that happens).

If employers obtain consent from employees by including a consent to data processing in their employees’ employment contracts, those contracts may need to be altered to take account of the GDPR.

This should be part of a larger review, planning and implementation process, taking into account the many other changes in the new law.

Operative date

  • May 2018

Recommendation

  • Employers should be identifying and preparing to implement necessary changes to their employment contracts now as a result of the GDPR