Facebook’s data processing scandal could set the tone for GDPR claims

Ahead of the implementation of the GDPR on 25 May, Facebook and its relationship with Cambridge Analytica could set a quasi-benchmark in consumers’ minds about how much their GDPR claim could be worth if their personal data is mishandled.

Accepting the fact that the GDPR and data protection is not the most scintillating subject for most people, Facebook’s woes have enabled the press to bring GDPR to light, specifically the right to be forgotten and the right to make a financial claim when data is misused – possibly the most interesting requirements of GDPR from the general public’s perspective.

Legal opinion

Employers have huge databases, often many times larger than their current staff numbers as businesses often retain information on former employees, contract staff, failed job applicants and even the numerous CV’s that they receive.

While a data breach at your company won’t necessarily be as headline grabbing as Cambridge Analytica’s acquisition of 50 million Facebook users without their consent, it could be equally damaging.

There are other issues that employers must consider including the ways rules and regulations surrounding employee data are being tightened. One notable change is that employers cannot rely on blanket consent to process their data. Consent can only be requested if the employee can genuinely give consent and has the option to say ‘no’ or withdraw this consent at any time.

If you haven’t already done so we advise carrying out an audit of all the personal data that you hold on your employees. You will need to put in place privacy notices to address the different points in the employment life cycle that you may retain personal data such as recruitment and your practice in relation to former employees. You should then consider updating your template employment contracts for new employees; updating data protection policies and other policies in your handbook where relevant for example disciplinary policies, and updating or drafting privacy policies and data retention policies.

We can assist you in reviewing the results of your audit and determining whether you have a lawful justification for retaining this personal data under the GDPR. We can also assist with drafting and updating relevant documentation.