GDPR: moving away from consent

Changes to the definition of consent under the new data rules mean HR should be thinking about adopting a different approach

The justification for processing personal data is a particular concern for HR departments because of the high volumes involved. Many employers currently seek to address the processing of employee data via a template consent clause in their contracts of employment. This is something to consider changing in light of guidance from the Information Commissioner’s Office and the higher standards required in the General Data Protection Regulation (GDPR), which comes into force in May 2018.

Because of the imbalance of power in the employee/employer relationship, it is unlikely that an employee is able to give their employer valid consent – something that has not been lost on the ICO.

The ICO has also emphasised that seeking consent from an individual will be considered misleading and inherently unfair if the personal data would still be processed on a different lawful basis if the consent was refused or withdrawn, as this presents the individual with a false choice; relying on consent where it is not appropriate or invalid could lead to substantial fines under the GDPR.

For consent to be valid, it needs to be freely given; the individual must be able to refuse or withdraw their consent (without detriment); and the individual must have a genuine choice and control over how the data is used.

However, consent is only one of the grounds on which personal data can be processed under the GDPR and, if processing is carried out for any of the reasons specified in the regulation, consent is not required. Consent should not be the default option (because of the risk that it may be a false choice or incorrect ground for processing) and in fact will be the exception rather than the rule. Instead, consider if processing is needed:

  • for the performance of the employment contract;

  • to comply with legal obligations;

  • to protect the vital interests of the employee or of another natural person (including the employee’s dependants or family); and/or

  • because of the legitimate interests of the company (provided that such processing is proportionate to the interests and fundamental rights and freedoms of the employee or data subject).

It is important under the GDPR to be clear on the basis for processing, and the GDPR’s enhanced requirements should be prompting HR professionals to understand how data flows through their department, and why this is required. 

What does this mean for employers?

  • Data processing clauses in contracts of employment relying on consent should be reviewed and, if the data protection clause is being kept, employers may wish to update this to reflect an alternative basis for processing.

  • If you do not already do so, issue employees and other personnel with an employee data privacy notice, which sets out what personal data will be processed and various other specific categories of information.

  • Where consent is needed, in one-off situations or where the other grounds do not apply (for example, where an employee authorises earnings details to be sent to their bank for a mortgage application) ensure it meets the strict requirements under the new regime.

Alison Woods is a partner and Val Dougan a professional support lawyer at CMS