GDPR: Can we still rely on employee consent to process data?
The implementation date for the General Data Protection Regulation (“GDPR”) is beginning to loom large on the horizon (25 May 2018).
The implementation date for the General Data Protection Regulation (“GDPR”) is beginning to loom large on the horizon (25 May 2018). The Regulation will apply directly to the UK on that date, but will also be incorporated into UK law by the Data Protection Bill. There has rightfully been a focus upon ensuring that employers are aware of how to continue to lawfully process the personal data they have and receive, related to their staff.
Much of that focus has related to the restrictions within the GDPR on the use of consent.
Whilst a number of misleading comments have been made about the use of consent, resulting in a blog from the ICO trying to demystify the situation (see below) the short point is that consent can still be used but with limitations.
Article 7 of the GDPR provides that where consent is used as the grounds for the lawful processing of personal data, the Data Controller should be able to demonstrate consent.
The evidence of that consent needs to comply with the following rules:
- It should be clearly distinguishable from any other matters;
- It should be in an intelligible and easily accessible form using clear and plain language;
- It should be clear that the Data Subject has the right to withdraw their consent at any time; and
- It must be freely given (and should not be a condition for the performance of a contract where it is not actually necessary for the performance of that contract).
Pre-ticked ‘opt-in’ boxes (which are common place in on-line applications) and inserting consent as a standard term of an employment contract are not going to be valid indications of consent going forward.
Other lawful grounds
As a general rule, we would advise using the other available lawful grounds for processing personal data where possible, as this will impose less of an administrative burden and will not be subject to the problems related to an employee withdrawing their consent with immediate effect.
The other options for lawful processing are:
- Processing necessary for the performance of the contract (or to take steps to enter into a contract);
- Processing necessary for compliance with a legal obligation;
- Processing necessary to protect the vital interests of a Data Subject or another person;
- Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; and/or
- Processing necessary for the purposes of legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the Data Subject.
If you are unsure which of these alternative grounds is the best fit for your organisation and the purposes for which you store and process data, please get in touch and we will be happy to advise you.
Consent: Getting the wording right
If you would still like consent to be covered in your employment contracts, we would advise having it as an addendum with specific wording. Retaining a consent clause in main body of your employment contracts would have limited value (beyond pure visibility) as it would likely be found to be unenforceable. Please do talk to us if you are looking to include/attach an addendum.
If you intend to rely on consent to process data it is important that any agreement you ask employees to sign is tightly drafted and explains their rights as data subjects under the GDPR.
The same wording will not suit every situation but you should ensure it always has the necessary ingredients to enable consent to be used lawfully. It is worth remembering however that this should generally not form part of another agreement, but if you require that to be the case it must be clearly separable.
The wording should include:
- A clear written declaration that the processing of the defined/specific personal data is agreed or is agreed for specific defined purposes;
- A clear description of the data which is covered by the consent;
- Explicit acknowledgement that the individual has the right to withdraw their consent to this processing at any time. There should be notification that, if they do so, this will not affect the lawfulness of the processing which occurred before the withdrawal of their consent;
- An explanation of who exactly they should inform to withdraw their consent; and
- A clear provision for signing and agreeing (with the date when agreed).
We will keep you fully up to date with developments in data protection law and key GDPR issues in the run up to 25 May 2018 but, should you require any further assistance, please do not hesitate to contact one of our team.