In this article we examine what will be required for valid consent to processing data under the General Data Protection Regulation (GDPR) and how employers should be preparing for that.
Under the Data Protection Act 1998 (DPA) employers routinely rely on individuals' consent for the lawful processing of data. When the GDPR comes into force in May 2018 this is likely to change and the use of consent will be very different to what we know now. For employers, along with the expansion of the definitions of personal and sensitive personal data, this will be a very significant change.
What's the difference?
There is no definition of consent under the DPA but the Courts must interpret it in accordance with the European Data Protection Directive; this requires consent to be unambiguous and defines it as:
'any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.'
The GDPR specifically defines consent as:
'freely given, specific, informed and unambiguous indication of a data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement of the processing of personal data relating to him or her.'
The GDPR is clear that consent requires affirmative action and that silence, pre ticked boxes or inactivity will not constitute consent. In addition, where data is processed for several purposes consent needs to be obtained for each purpose (if relied on). Employers will need to demonstrate that consent has been given for a particular type of processing.
So, what does this mean?
A general 'catch all' consent clause in an employment contract or employee facing data protection policy will no longer be sufficient; not least because it usually seeks to capture consent to processing for numerous purposes.
The GDPR also requires employees to be informed of the right to withdraw consent and for it to be as easy to withdraw as it is to give. This information is unlikely to be included in current data protection clauses found in employment contacts.
While employers have always been aware that consent by its very nature is unreliable, as it can be withdrawn, it has largely become the default basis for processing personal and sensitive personal data; in many cases because it has been relatively easy to obtain from unquestioning employees and avoids the employer having to show the processing complies with another processing condition. This is despite the validity of consent in an employment relationship being questioned (including in ICO guidance) as the employee is in a subordinate position.
The GDPR makes it plain that consent will not be freely given if the individual has 'no genuine or free choice'. Specifically, consent will not be a valid basis for processing data where there is a clear imbalance between the individual and the data controller; hence its use in an employment context (where the employer is generally in a far stronger negotiating position than the individual) is likely to be limited.
If employers still want to rely on consent, what will be needed?
Enough information will need to be given to an individual for them to understand what they are consenting to and the extent of the processing. If individuals are asked to sign a declaration of consent then it must be provided in an 'intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms'.
The individual will also need to understand the identity of the data controller and the purposes for the processing. The declaration will need to be distinguishable from other terms and not hidden in lengthy documents or within a website or software system.
Consent will need to be verifiable in line with the GDPR's accountability requirements (which requires proof of compliance); employers will need to show that compliant consent has been given. Therefore the procedure for obtaining it will need to be unambiguous and employers will need to have an easily accessible audit trail. HR systems and procedures will likely need to be reviewed and updated accordingly.
Is there anything else?
Individual rights are significantly strengthened under the GDPR. Employers should be aware that if they seek to rely on consent, individuals will have greater rights where data is processed on the basis of consent.
For example, the right of data portability (which we will cover in a forthcoming article) attaches to data processed by consent but does not attach if the legitimate interests processing condition is relied upon.
Employers should be aware that this is an aspect of data protection compliance which could fuel group and union action. If an employee can show that an employer does not have an identifiable legal basis for processing data or is not complying with the rights that attach to the processing condition relied on, the door may be opened for other employees to pursue this.
Employers therefore need to understand which processing conditions they currently rely on and whether they will continue to rely on them (and are indeed able to) under the GDPR. There will need to be a clearly identified legal basis for each processing of personal data and this will need to be evidenced.
It is likely to be difficult for employers, particularly those who have grown rapidly, to evidence that all ongoing processing was legally justified in the past. The GDPR wants employers to think carefully about what data they process and why.
What's the alternative?
It is likely that the 'legitimate interests' processing condition will be relied on more by employers under the GDPR. While this will require more preparatory work (in order to conduct the proper balancing exercise between the rights of individuals and the legitimate interests of the employer) ultimately, it is likely to be the most user friendly for employers. As mentioned above, this may also be preferable because data processed on the basis of legitimate interests also carries less individual rights.
What next for employers?
Employers are running out of time to get their houses in order before May 2018 and need to act now, if they haven't already.
- Review current employment contracts and HR policies to understand where your current consent wording is located and what it says.
- Audit HR data to identify the legal basis for processing it and the processing conditions which are currently relied upon.
- Decide what processing conditions under the GDPR you will rely upon for employee data after May 2018.