A key area for any organisation when it comes to preparing for GDPR taking effect in May 2018 is the personal data relating to its staff. The most common mistake in this space seems to be when employers have asked for their employees’ consent in order to process their personal information.
Consent seems to be a box we’ve all become used to ticking, or perhaps unticking, over the last 20 years of rapid technology expansion. It might have seemed like an easy solution to all sorts of things an employer might need to do with an employee’s personal data. Most often consent seems to get dropped into a standard form of employment contract or employee handbook, just as a blanket ‘catch all’ type of provision to save the employer having to worry about its use of data changing in the future.
However, taking this approach will have major repercussions under the GDPR. Essentially, consent is the one lawful condition for processing that has changed significantly under the GDPR. Using it means more administration and management moving forward. It also gives the individual who has given their consent more rights, including the ability to withdraw that consent at any time, so preventing the employer from using it anyway.
Consent under the GDPR must be freely given, that is to say, not something the individual feels is effectively Hobson’s choice. So in an employment relationship the balance of power between employee and employer makes it largely inappropriate.
For these reasons, consent ideally shouldn’t be the condition for lawful processing that an employer is relying on. In practical terms, this shouldn’t be a problem because the vast majority of an employer’s processing of an employee’s personal data falls into one of the other, more appropriate, lawful conditions.
Most use of an employee’s personal information will be necessary for the fulfilment of the individual’s employment contract. For example, bank details are clearly necessary in order to ensure salaries can be paid. Lots of information used in an HR context will also be required so an employer can meet its legal obligations. This is going to include information about someone’s gender and race being collected for the purposes of checking equal opportunities compliance, or disability information which is collected for the purposes of assessing appropriate workplace adjustments that might be required.
If there is a need for an employer to rely on consent to use an employee’s data, because no other lawful condition applies, it will probably only be appropriate for something like an optional benefit that the employee may choose to be part of or not. The types of HR scenario where consent is appropriate are more likely to be use of that information which:
- is not in the performance of a contract
- is not necessary in order to meet a legal obligation
- is not required for the protection of the individual concerned
Things like gym schemes, Christmas clubs, volunteering activities or social clubs within the workplace are the most likely situations where consent might be the only condition that applies.
If an employer organisation has tried to suggest in earlier contracts and handbooks that they are relying on consent as a broad condition for all types of processing of their employees’ data, this is going to be an area that needs careful attention as part of that organisation’s compliance with GDPR.
By Emma Roe, Head of Commercial, Shulmans LLP
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/