The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018.
The good news for employers is that many GDPR rights are similar to those under the current Data Protection Act 1998 (DPA).
The bad news is that, as a general rule, GDPR expands existing rights, introduces a few new rights, and imposes significant penalties for breaches. In particular, the regulator will have the power to issue fines of up to 4% of annual global turnover or €20 million, whichever is higher, for non-compliance.
Employers that offer healthcare benefits are likely to be processing health data relating to their employees. Under GDPR, data relating to employees’ health will be regarded as ‘special personal data’, to replace ‘sensitive personal data’ under the DPA.
Consent to processing special personal data has to be ‘explicit’. GDPR does not define what explicit consent means, although this is likely to be interpreted as consent in writing to a specific instance of processing of special personal data. In the context of HR data, and in particular data relating to employees’ health, valid explicit consent is going to be very difficult to obtain. A clause in an employment contract aiming to provide employee ‘consent’ to processing of personal data, including special personal data, is unlikely to be considered valid consent.
Instead, employers will likely need to rely on one or more of the specific exemptions for processing special personal data. These conditions are similar to those under the current DPA, for example, where processing is necessary for carrying out rights and obligations under employment law, which could potentially include processing health data in order to provide employees with the healthcare benefits they are entitled to receive from their employer.
However, particularly for special personal data, processing which does not fall within the exemptions could have significant adverse consequences for employers. HR teams’ traditional justifications for lawful processing of employee data, including health data, may have to be revisited, together with the way in which the data is collected, used and retained.
The new regime is complex and HR teams are advised to undertake careful review and planning ahead of implementation of the new regime in May 2018 to ensure they have verifiable systems and processes in place to manage data, including health data, which complies with GDPR.
Anna McCaffrey is senior counsel at international law firm Taylor Wessing