GDPR and employment law - consent is no longer consent
‘The Employee consents to the Company processing data relating to the Employee for legal, personnel, administrative and management purposes and in particular to the processing of any sensitive personal data (as defined in the Data Protection Act 1998) relating to the Employee…’
If you work with employment contracts, the clause above probably looks familiar – a fairly standard introduction to the data protection consent clause that gives a company consent from employees to process their personal data.
The Data Protection Act (DPA) does not define consent, so the Courts have to look to the European Data Protection Directive (Directive) when interpreting the DPA. The Directive defines consent as 'any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’. It also requires that consent is unambiguous. Clauses like the one above have been used for many years to give employers consent to lawfully process their employees’ data. Whether or not they were in reality sufficient to do this under the DPA is an open question, but under the General Data Protection Regulation (GDPR), which comes into force in May next year, it is very clear that this kind of clause will no longer be sufficient to allow employers to lawfully process their employees’ data.
What does the GDPR require?
The recitals to the GDPR contain a somewhat ominous statement from an employer’s perspective:
'in order to ensure that consent is freely given, consent is not a valid ground for processing where there is a clear imbalance between the individual and the controller'.
The relationship between employer and employee is by its nature, imbalanced. In my years as an employment lawyer, both in private practice and in-house, I have very rarely seen a situation where an employer will change elements of the employment contract at an employee’s request. Where this does happen, it is generally a small employer who has the need and the flexibility to truly negotiate terms with their prospective employee, or for larger corporates, in the case of senior executives, particularly where there is a specific need for that particular new hire. In most cases, any negotiation on the part of the employee is quickly closed down with a flat ‘no’, which reflects the parties’ relative bargaining positions. This means that going forward, employers will need to think carefully about whether consent is a sufficient basis for them to process their employees’ data.
The GDPR specifically defines consent as:
'freely given, specific, informed and unambiguous indication of a data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement of the processing of personal data relating to him or her.'
The reference to affirmative action as well as the requirement that a request for consent must be clearly presented to the employee (and not buried in another document) makes it clear that simply requiring an employee to sign a contract containing a data protection consent clause will not meet the GDPR’s requirements. In addition, the GDPR requires that an employee must be informed that he or she has the right with withdraw consent at any time, it must be as easy to withdraw consent as to give it and where data is processed for multiple purposes, specific consent must be obtained for each purpose.
So, what do employers need to do?
If you still want to rely on consent, you will need to need to provide the employee with some key information to help them understand exactly what they are going to be consenting to and the extent of the processing that you will be undertaking. This will include the identity of the data controller and each of the purposes for which you intend to process the employee’s data. You will need to seek consent in a declaration that stands alone, separate from other terms of employment and which is presented in an 'intelligible and easily accessible form, using clear and plain language’ and ‘should not contain unfair terms'. The GDPR also requires proof of compliance, so the procedure for obtaining consent will need to be recorded to ensure that there is a clear audit trail (which will mean updating HR processes to ensure this requirement is adequately covered).
It may be that the ‘legitimate interests’ processing condition, although it requires more work initially to ensure that the balancing exercise between the rights of individuals and the legitimate interests of the employer is covered, becomes a more reliable ground for employers to use when processing employee data, not least because data processed on this basis has less individual rights attached to it. Either way, you need to be sure that you understand which processing conditions you rely on at the moment, whether this can continue under the GDPR, and if so, you will need to ensure any evidential requirements are sufficiently covered by your HR processes.
- Review employment contracts and HR policies to understand the current data protection consent arrangements.
- Audit HR data – why do you currently process data and what processing conditions do you rely upon?
- Decide the processing conditions you will rely upon under the GDPR regime.
- Amend employment contracts and HR policies and processes to reflect the new world under the GDPR.
- Ensure appropriate communications and training are given to HR and any other staff who deal with employee data so that you are ready to hit the ground running in May next year.
Even if you follow all of these steps, the GDPR significantly strengthens individual rights (watch this space for a future guest blog on this topic!). Clayden Law and mpm legal can support you through these changes – if you act now, you won’t get caught out when the GDPR comes into force. If you think we can help, please get in touch!