This is a question that we’ve been asked a few times in recent weeks, as everyone prepares for the coming into force of the General Data Protection Regulations (GDPR) in the UK on 25th May.
So we turned to Farillio’s legal expert partners, Pam Sidhu and Helen Smart, at The Wilkes Partnership, to get some much needed guidance and clarity around what we should all be doing with our employment contracts – both the ones we already have, and any that we might be about to create.
This is what Pam and Helen shared with us...
For existing employment contracts, there are two options, and it’s recommended that you do consider them with a lawyer
1. To vary those existing employment contracts to either
a) include a new/revised clause relating to personal data processing rights for the employer; or
b) to remove the existing consent clause altogether (and then follow the approach outlined at option (b) below).
In either event, this variation process will be time-consuming and potentially more costly than option (b) below.
Existing contracts will need careful checking to determine precisely what the existing clauses cover and to make sure that any other relevant contractual provisions are not mistakenly removed as part of the variation process.
Relevant consent clauses may appear in more than one section, so you may need to check the whole contract (for instance, there may be clauses throughout the contract relating to matters like consent to obtaining medical records and consent to email monitoring).
Once you know what needs to be varied, as the employer, you’ll need to ensure you have the contractual right to make the changes yourself (without getting express consent from the employee), or you’ll need to be clear that the contract in question obliges you to get that express consent before you can make any changes.
Different employment contracts will be drafted differently. Some (many in fact) may contain what’s called a ‘variation’ clause, and depending on the wording of that clause it may mean that you will have to get the express consent of the employee before you are lawfully permitted to make the change.
2. Not to change/vary the contract terms
Alternatively, you could choose not to change or vary the terms of the employment contract.
Instead, you could choose to circulate a simple but clear statement to employees (not in the form of any contractual notice) informing them that:
you’re no longer relying on consent as a lawful basis for the processing of personal data belonging to them, as your employees (and so you are no longer relying on any consent clause in their employment contracts with you); and
b) instead, employees should refer:
i) to your business’ privacy notice for employees which sets out information describing the lawful basis on which the business will be processing their personal data, and
ii) to your internal data protection policy – and any other relevant policies (like IT policies).
You could do this as part of an update/training of employees in relation to GDPR.
The risk with option 2 is that you could potentially be seen to be misleading employees by not removing something from the contract which is now no longer compliant with the law. However, the clear statement advised above should assist in minimising this risk.
In addition, if you choose option 2:
a) you’ll need to make clear that your business’ privacy notice and internal data protection policy now clearly and correctly include matters relating to data protection and the handling of personal data in compliance with the GDPR’s requirements, and
b) you’ll need to ensure that in taking this approach, you’re not inadvertently disabling any elements of the original contractual wording that might cover wider matters than simply employee consent to personal data processing (e.g. employee commitment to compliance with their employer’s data protection policy), and which you might want to remain in place.
So, in either case, while it’s good to know where you stand and what your options may be – and many of us might well want to pursue option (b) for ease and cost-effectiveness! – it is definitely worth getting a quick view on the actual contracts that you already have in place. Then you’ll know for certain which option makes sense for your business and how to go about actioning it.
For contracts created after 25 May (or any contracts created using Farillio’s current GDPR-compliant templates) you also have 2 options:
1. Include a GDPR-compliant clause, which does not rely on employee consent, in your contract.
This clause may simply refer to your business’ privacy notice. And it may also include additional obligations on the employee to comply with the Company's data protection policy and any other related policies (such as IT policies); or
2. Not include any clause relating to the use of the employees' data…
…and rely on this to be covered in the Company's privacy notice and any other related policies and/or staff handbook to which the contract broadly refers and requires compliance with.
And as for the million-dollar question, which of these two options would our legal experts recommend?
Helen and Pam told us that they’d probably advise taking the first option, since it contains a transparent statement by an employer about how it is handling data protection-related matters and, if well-drafted, should still provide reasonable flexibility if the business needs to update its privacy notice or other policy documents from time to time (without the need to get employee consent to do so).
If you’re concerned about your employment contracts or want a speedy view about how the new legislation may affect your employment – or your trading terms and contracts, for example, Farillio has a lot of practical guidance, like Pam and Helen’s advice above, on exactly these topics – as well as handy checklists and ‘how-to’ videos designed to help you work through what you should be doing now.
And our pay-as-you-go Speak To A Lawyer service is designed to help with exactly these kinds of rapid-fire queries. Let us know if we can help to connect you with experts like Pam and Helen.