GDPR: Is consent enough to allow employers to process employee’s data?
As part of our series of short blogs about the General Data Protection Regulations and what impact they will have on employers, we look at whether obtaining consent from employee’s to hold and process their data is enough.
One reason why data protection issues are not always at the forefront of an employer’s mind is that, under the existing legislation, data processing is easily justified by obtaining the data subjects consent. As this is routinely included in contracts of employment, employers have simply been able to point to the contracts as the basis for processing personal data belonging to their employees.
However, this easy arrangement will no longer be possible under GDPR, since GDPR will set a higher standard for obtaining consent to process personal data. Consent will need to be freely given, specific and information clearly indicated by a statement of affirmative action. The new definition includes a requirement that consent is unambiguous.
Therefore, if consent is given through a written declaration it must be clearly distinguishable from other matters and easy to understand. Consent now becomes ongoing and requires more active management and not simply a clause within the employment contract.
This means that the standard “consent to process data” clause that features in most employment contracts is unlikely to be sufficient, as the general wording in the clause will be insufficient to comply with GDPR requirements. The imbalanced bargaining position between employees and employers means it would be unrealistic to suggest that the employee has the right to make an informed choice about whether to accept this particular clause in their employment contract. Could a new employee realistically tell their new employer that they want their contract to be changed?
For consent to be a lawful reason for data processing under the GDPR, the individual must therefore be given the power to make an informed choice and should be an “opt-in” basis rather than an “opt out” basis.
As a minimum, employers who wish to rely on employee consent to processing data will therefore need to consider creating a separate consent form to be signed by employees for each processing activity. It might be possible to prepare one main consent form for all of the anticipated activities, with further forms being created should new processing activities become necessary, for example, if you need to use an employee’s data to refer them to occupational health.
It is therefore more important than ever to obtain detailed records to demonstrate when and how consent has been provided. If employers seek to rely on consent they will need to give enough information to employees/individuals to enable them to understand what they are consenting to and the extent of the processing which they are consenting to. If you ask employees to sign a declaration of consent, this must be provided in an intelligible and easily accessible form, using clear plain language and should not contain unfair terms.
Any separate consent document will also need to outline a mechanism for employees to withdraw their consent, which they have the right to do at any time. It should be as easy to withdraw consent as it is to give, so you must avoid putting unnecessary hurdles in the way of an employee who wishes to retract permission to process their data.
According to the ICO guidance, it will be particularly difficult under GDPR for employers and public authorities to rely on consent as the basis for processing because there will always inevitably be an imbalance of power in the relationship between the employee and employer that controls their data. Such imbalance means that consent cannot be “freely given”.
Getting consent wrong will have serious consequences for an employer including substantial fines and damage to reputation. Because of the difficulties in relying on consent, in most cases it will likely be easier and more transparent to use an alternative legal justification for processing data. This makes sense because some processing of data will be inevitable, even if the employee does not consent to it. For example, an employee may not want to give their general consent to processing their data, but their data will still need to be processed in order to pay them their salary and benefits. Having considered and recorded the justifiable grounds that such data processing is required to comply with legal obligations and/or perform the employment contract, an employer will be in a much safer position than if it was simply relying on consent.
GDPR is going to have a huge impact on the data stored and processed by employers about their employees and job applications. If you would like to attend one of our free GDPR: What are your obligations as an employer? Seminars, please contact us on firstname.lastname@example.org or call us on 0161 926 9969 to sign up.