Employers who rely upon an employee or prospective employee’s consent to data processing in their employment contracts must take note: the requirements on obtaining consent from individuals to their data being processed are much more stringent under the new GDPR regime. With the GDPR applying from May 2018, employers must now re-think their approach to consent clauses in employment contracts. Getting it right is crucial as the potential consequence of non-compliance is a fine of up to €20 million or 4% of global turnover.

Why the need for change?

The current Data Protection Act 1998 (DPA) intended for data protection consent clauses in contracts of employment to be a product of choice: employees should be able to agree or disagree without repercussions. All well in theory, but the reality has been somewhat different. Such clauses are often buried in long employment contracts; employees feel they cannot object due to the imbalance of power (and the simple desire not to cause a ‘nuisance”), perhaps saving their concerns for issues they perceive as more critical to them such as pay, holiday or restrictions on their activities following employment.

So what changes in the GDPR?

The GDPR sets out strict requirements for valid consent to processing:

  • Consent must be freely given, informed, specific and unambiguous.
  • Consent must be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
  • Consent must be as easy for an individual to withdraw (at any time) as it is to give.

What does this mean for you?

Employers will need to make changes in light of these new requirements:

  • Employers will be unable to rely upon generic consent clauses to data processing in employment contracts. Those clauses will fall foul of the requirement that consent be freely given, due to the imbalance of negotiating power; they are also not distinguishable from other matters.
  • This will require a refocus of HR attention onto other justifications or legal grounds for processing permitted by the GDPR (see below). Consent should only be relied upon when absolutely necessary and then in a separate ‘consent’ declaration complying with the ‘higher standard’ set out above.
  • Where consent is relied on, beware – an employee can retract it at any time and individuals have greater rights where data is processed on the basis of consent. These new rights may well become a tactic used by employees to, for example, stall disciplinary or redundancy processes.

There is scope under the GDPR for some specific employment related deviations. We are currently awaiting further details of what will be in the UK’s Data Protection Bill announced in June in the Queen’s Speech, but with questions already raised as to the validity of consent under the existing DPA, employers should start preparing now for a change in their approach to consent.

Tackling consent – what do you need to do?

HR teams must start preparing now for the transition to this new regime, working alongside relevant parts of the business, including (where the business has one) the Data Protection Officer, to:

1. Conduct a data mapping exercise to establish what data is processed, why and for how long. Once you’ve done that, consider which of the legal grounds for processing apply to each of your processing activities. For example, are certain types of processing a contractual necessity (employee payment data), required to enable the employer to comply with a legal obligation (social security data) or in the employer’s legitimate interests (and an assessment has been made that those interests are not overridden by the potential harm to the individual).

2. Reconsider the use of clauses in employment contracts which seek to obtain broad consent from the employee to process their data. That broad consent will not be valid. Your contracts may still include clauses referring to your employee privacy policy (without asking employees to “agree” to it), and a clause governing those employees’ own use of personal data in the course of their employment (for example, when handling other employees’ data or customer data).

3. Where consent remains necessary to process personal data (and it will still be necessary in some cases), consider including any consent provisions in a separate declaration which is not intrinsically linked to the employee’s acceptance of employment. The declaration must be detailed, specific and explicit as to its purpose and should be tailored to each business. There is no “one size fits all”.

4. Remember when you obtain consent, that there is always a right for the employee to withdraw at any time and with no detrimental consequences. You will need a mechanism in place (in your back-end systems) to facilitate this.

5. Ensure that the information you provide when you seek to obtain consent is consistent with your privacy notices (which should explain to employees, amongst other things, the legal ground(s) processing which are being relied upon).

6. Forward plan your internal process for communicating with employees about these changes to their employment contracts and how information will be made available to them.