Most employer processing activities will fall under the ‘lawful purposes’ definitions but, in accordance with the new accountability principles, an employer needs to be clear from the outset of the lawful purpose on which they are relying, and should keep a record of this.
GDPR lawful purposes for ordinary personal data include processing on the basis of:
If an employer is relying on consent for any aspect of employee data processing, then they need to ensure that:
Under the GDPR, subject access request (SARs) will entitle employees to more detailed information regarding the way in which their data is processed, will reduce the time limits for the employer’s response and will abolish the current £10 fee for responding to a SAR.
Employers are currently obliged to comply with a SAR within 40 days of the request.
The GDPR will require employers to comply without undue delay and at the latest within 30 days, although this can be extended for up to two additional months for particularly complex or numerous requests.
It may be possible to request a reasonable administration fee where the SAR is ‘manifestly unfounded or excessive’ however guidance is limited on what this will cover.
We are currently updating Data Protection policies and advice on consent and will be in touch soon!