The key change from an HR perspective is that employers will no longer generally be able to rely on implied consent, or a general statement of consent to process data given in an employment contract. Consent clauses should now be removed from employment contracts. Article 6 of the GDPR sets out specific lawful grounds on which personal data may be processed. Employers will need to consider which grounds they will seek to rely on for processing employee data. In practice, we anticipate that the most likely ground to be relied on is where processing is necessary for the purposes of the data controller's legitimate interests "except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject". This requires a balancing act between the interests of the data controller and the data subject.
The Information Commissioner's Office (ICO) is ultimately responsible for ensuring compliance with the GDPR and it can issue substantial fines for failure to comply, up to 20 million Euros or 4% of global turnover. There are also potential reputational issues with failing to properly comply with the GDPR.
Compliance with the GDPR, and the Data Protection Act, is a huge undertaking, involving written policies, notices and practices. The obligations are being clarified as guidance is issued and enforcement action is taken. We are continuing to assist our clients, to include, providing training and advice on GDPR-compliant policies and practices.