Summary: With less than 12 months to go until the General Data Protection Regulation (“GDPR”) comes into force, employers should now be working in earnest to prepare their HR systems for the new regime. Reviewing your employment contracts and employee policies is a key part of this process. The changes brought in by the GDPR mean employers should avoid relying on employee consent as the basis for operating their employee arrangements.
In the first of a series of updates on the HR implications of the GDPR, we look at the issues employers face if relying on the consent of their workforce to processing employee data.
Employers have commonly relied on employee consent as a catch-all lawful basis for collecting and using employee information under data protection law. Indeed, it is still not unusual to see clauses in employment contracts or references in policies where an employee consents to very extensive use of their data, for example workplace monitoring or transfers of data overseas.
For some years EU Data Protection Authorities have said that use of consent in an employment context requires careful consideration. This is because the inherent imbalance of power between employer and employee can mean that consent is not freely given, and so can be invalid. The GDPR makes this position more explicit: consent does not provide a valid legal ground for processing where “there is a clear imbalance” between the data controller (employer) and the data subject (employee). The Information Commissioner’s Office confirms in its March 2017 draft GDPR guidance that consent is very likely to be inappropriate if you are an employer processing employee data. Even where you are able to rely on consent, employees can withdraw it at any time, potentially giving rise to the need to restructure centralised HR processing practices to accommodate such exceptions.
What this means for you in practice
1. Review and update your existing employment contracts and other documentation
Wherever possible you should identify a legal basis other than consent to justify your use of employee data. Examples could be because it is necessary to perform the employment contract, or because it is necessary for the employer’s legitimate interests and is not unwarranted because of any potential harm to the employee’s rights.
2. Consent may still be appropriate in limited ‘one-off’ circumstances
There may be some situations where you will be able rely on consent, but these are likely to be very fact specific. For example, it may be legitimate to rely on consent as a basis for offering a voluntary benefit as part of an employee’s overall compensation package.
3. Ensure you are participating in your organisation’s wider general GDPR review
The GDPR has a significant impact across your whole organisation, not just the HR function. Ideally you will be taking these steps as part of a wider GDPR review, since many elements of your compliance structure are likely to overlap with those of other departments.
Dealing with consent is just one of the many GDPR employment aspects that HR professionals need to address.