Having survived the weeks leading up to 25 May and the deluge of emails from firms you've never even heard of about your mailing preferences, you'd be forgiven for thinking that your GDPR troubles are over.
For HR professionals, there are actually far more significant points to consider.
The GDPR – a convenient shorthand for reform of data privacy laws to bring them into the age of the internet - has mostly been presented as a digital exercise about data cleansing, firewalls and obtaining and recording consent.
But it has also changed the balance of power between employees and employers in a pretty fundamental way.
Under the new rules, employers can no longer compel their employees to produce and hand over their health records, no matter what pre-GDPR clauses exist in their contracts. The laws enacted in both Jersey and Guernsey to enable the GDPR specifically say that contractual terms requiring employees to disclose a health record, or even part of any health record, will be void from the point that the GDPR entered into force.
Over and above that, employees now also have a legitimate expectation that they can keep their personal health information private, and that employers will respect their privacy. Where health information is being collected, employees should know what is held, who is holding it, where it is held and the reasons why it is held.
This changes the picture in a number of ways, but most significantly in terms of dismissals on the grounds of ill-health, particularly as the onus is on the employer, not the employee, to obtain evidence to support a decision to dismiss.
In the same way, an employer's right to demand evidence of criminal records has been swept away (except under certain circumstances). Employers are no longer able to demand evidence of criminal records unless the employee (or the position being recruited for) fits a defined list of categories including healthcare, schools, caring for the vulnerable, financial services or jobs working in the legal sector.
A further fresh challenge is in respect of employees' social media accounts – it has been fairly common practice in all kinds of businesses for employees to share, like and comment on their employers' social media content. But monitoring of employees' social media activity will inevitably lead to processing and/or storing personal data about them – and therefore it has to be conducted in accordance with the GDPR, which means that employers will have to demonstrate lawful grounds for processing that data.
GDPR is a game-changer for the employee/employer relationship in many ways, not just those outlined above – and it's about much more than email marketing databases.
If you haven't carried out full GDPR audits and updated existing policies, procedures and employment contracts so that areas of risk can be identified and rectified, then that work needs to start. Above all, employers will need to be able to clearly demonstrate that they are acting in accordance with the new policies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
