The European Parliament has now passed the new General Data Protection Regulation. This will come into effect in 2018. The Regulation does make some changes to the law currently implemented by the Data Protection Act, which employers need to be aware of. In particular, the Regulation sets out tighter requirements for obtaining consent from employees to processing their personal data.

The current law requires that this consent must be “freely given, informed, and specific”. Under the new Regulation it must also be “explicit”. In addition, it states that where consent is given in a written document which also concerns other matters, it must be presented in a manner which is clearly distinguishable from those other matters.

This will have implications for employers who seek to obtain consent to data processing in the employment contract, as is often the case. Applying the Regulation, this would not be sufficient. This can probably be dealt with by asking staff to sign a separate document consenting to the processing of their data (in the same way that Working Time Regulation opt-outs are usually signed now). Employers will need to be careful of the wording of the consent forms to ensure that consent is freely given. They should also make sure that employees know exactly what they are consenting to.