The GDPR issue that no-one considered (comment)

Why GDPR is still having a profound effect on employers and employees even after the 25 May 2018 deadline.

Comment Piece by Laura Hughes, Head of Marketing at PayDashboard

Amidst the panic about GDPR compliance and crippling fines for non-compliance, UK employers overlooked one key problem, and it is about to come back to bite us. As a collective, I believe businesses underestimated the extent to which consumers, and therefore employees, would become aware of their data rights - and now employees aren’t afraid to query when they think something is wrong.

Businesses should have seen it coming. When the first trickle of “Opt in to continue to hear from us” emails started it was clear that the floodgates would soon open. Once one company sent an opt-in email, others assumed that this was what you had to do and followed suit, starting a chain reaction of copycat “click here to stay in touch” emails clogging up inboxes of consumers throughout Europe.

What’s the problem with consumers receiving these GDPR emails?

The problem is that those consumers are also your employees. Prior to May 2018 many employees probably didn’t know much about the Data Protection Act or their rights regarding their data. When they received these GDPR opt-in emails they were made aware of their rights to specify what happens with their data. Post May 2018, everyone knows about the GDPR, and individuals feel more empowered to protect their data and to question practices that they deem inappropriate. Employees are now more aware of their rights than ever before.

Don’t believe me? This website enquiry proves my point.

As a bit of background, in the lead up to the GDPR I published several posts on the PayDashboard blog on the topic of GDPR and payslips - which means when you search for something online using these keywords in your question, our website tends to show up. On June 7th 2018 I received a contact form on our website from someone who had found and read these blogs, and had a related query. But this wasn’t a sales enquiry from a company considering moving to online payslips. This was from an individual, who asked the following question;

“I receive printed payslips from my employer by hand, but when I am off work my payslip is left on my desk. My home address is printed on there and other employees can see it. Is this a GDPR breach?”

This put me in a bit of a quandary. On the one hand I certainly had my own opinion on this situation, as did my colleagues, but there is a fine line between giving an opinion and being seen to be providing advice. It is not our place to advise this person whether their employer is behaving in a compliant manner with regards to the employee’s data. The most appropriate solution was to say that PayDashboard was not the right company to ask, and suggest that if the employee would prefer to receive their payslip another way they could discuss it with their employer.

However, I kept thinking about this person’s query, and decided to ask some of my own contacts who were more formally qualified on the subject of GDPR for their input. The responses we got were incredibly varied and insightful, with each having a slightly different view on the detail of the issue but agreeing on the overall answer.... That this was indeed a GDPR breach. You can read more about their thoughts in this blog post.

This also raised some really interesting discussion in the office

1. GDPR is not a revolution in data protection laws, it is an update to the Data Protection Act. If this practice of leaving a payslip on a desk is not compliant now, then it probably wasn’t compliant before 25 May 2018 either.

2. Less than 2 weeks after the GDPR deadline the employee was questioning the practice, and actively searching the topic of GDPR to see if their concerns were justified. Would they have done this before 25 May 2018? And would they have found an answer online to such a niche question?

3. This Company’s method of delivering payslips has probably been the norm for some time. Have other employees questioned it in the past and been told “that’s the way we do it”, and just didn’t object further? Are other employees also uncomfortable with the practice but didn’t want to say anything? Had the employee who contacted PayDashboard already raised the issue with their employer and had not had a satisfactory resolution, so was now seeking a second opinion?

Employees are now aware of their rights under GDPR

And they aren’t afraid to exercise them. We need to prepare for more pushback from employees on this kind of thing. We need to put ourselves in our employees’ shoes and consider their privacy first. If, like this person’s employer, you are choosing to deliver physical payslips you may want to read this blog post where three professionals with knowledge on GDPR gave their insights into this scenario.