GDPR Countdown Week 9 : Consent (9 weeks to go)
Our countdown to GDPR continues…
There has been a lot of misinformation produced about the use of consent as a legal basis for employers to process personal data under GDPR.
The important points to note however are:
- Consent remains a legal basis upon which to process personal data, but
- GDPR puts limitations on its use.
GDPR has numerous options available to employers for establishing a legal basis to process the data they have which do not rely on consent and we would suggest a good starting point is to avoid using consent wherever possible (as long as another lawful processing basis can be found).
For example, under the current Data Protection Act, employers commonly relied upon consent for the processing of medical data.
Under GDPR however there is an express legal basis for processing such sensitive personal data for the purpose of considering fitness for work. Consent is not required.
That said, if consent is to be used it will need to be:
- Freely given
- Informed and unambiguous
- Properly separable from an agreement to any other issue
The data subject will also need to be informed of their right to withdraw consent at any time.
If you require any assistance on this or any other GDPR issue please do not hesitate to contact firstname.lastname@example.org or your usual Weightmans contact.