Blog

The World of Work by Harry Sherrard


Slaying a couple of myths about GDPR

Earlier this week, using the technical miracle that is Skype, I delivered a pan-European seminar on the implications of GDPR for HR. Delegates in Italy, Germany, France and other European countries were able to listen and follow the slides, whilst I sat in our client’s offices in Surrey.

The delegates enjoyed the seminar, and appreciated that I slayed a couple of myths about GDPR. The greatest myth is probably the confusion around consent. Many commentators have a fixation with consent. It is often believed that employers must obtain consent from employees for every use of personal data. As a matter of good housekeeping, we do recommend that employees are asked to sign and return an employee privacy notice. But employers can process employee data without consent, on a number of the grounds listed in Article 6 of GDPR. For example, banking and payroll data can be processed because this is “necessary for the performance of a contract”. Employers, under the Health & Safety legislation, have a legal duty in respect of the health, safety and welfare of their staff. So, data about employees can be processed where it is “necessary for compliance with a legal obligation to which the [employer] is subject”. And, the primary basis for the lawful processing of data, where it is in the “legitimate interests of the [employer]” also applies to the employment relationship.

The confusion about consent permeates many areas. I enjoy sailing, and I am a member of a national sailing organisation. I recently received an email from this organisation, telling me that I had to opt into their emails i.e. consent, otherwise they could no longer process my data by sending me emails. Utter nonsense! It is clearly in the legitimate interests of the sailing organisation to send me emails about boating events. Moreover, by paying a membership fee I am entering into a contract, and the organisation can send me emails for the purpose of performing that contract. So there is absolutely no need to ask members to consent to receive emails from a boating organisation about boating events.

That a national level organisation is so wrong about GDPR is an interesting illustration of just how much confusion still exists.


Back to Blogs Page

Go to News for the latest about the industry