GDPR consent is imperative!
What is the issue with consent?
The new GDPR is more onerous and employers will be under a positive obligation to be able to show evidence that they are compliant with the new GDPR principles.
Most employers address the issue of consent for processing personal data by including a standard clause in their contracts of employment. In light of the GDPR, this approach is probably going to have to change because of the imbalance of power between an employer and an employee and in these circumstances, it is unlikely that it could be said that an employee has given valid consent.
Should an employer continue to rely on consent?
Under the GDPR, consent needs to be freely given, unambiguous, specific and informed if it is to be valid. In essence, this means that the individual concerned must be able to refuse or withdraw their consent without any detriment being suffered.
So, if consent has to be freely given, where does this leave the employer? Consent is only one of the grounds on which personal data can be processed and given the imbalance of power between an employer and an employee, it is likely to be rare the condition of ‘freely given’ consent will ever be met.
So, the alternative is for an employer to rely on another legal basis for processing data and only rely on consent when there is no other legal basis to rely on.
On what different grounds could an employer rely?
Instead of consent, an employer could rely on a different legal basis to process data. Processing of data could be justified:
- To comply with legal obligations – health and safety laws, deducting tax, establishing right to work
- To enable the employment contract to be performed such as payment of salary or administering benefits.
- To protect the employee’s vital interests; or
- To protect the employer’s legitimate interests which would outweigh the general privacy rights of employees (as long as this is proportionate and necessary). Examples would be to run recruitment, manage disciplinary and grievance issues, record absence, obtain medical advice, monitor performance.
What should employers do now?
Employers will have to review their standard employment contracts and review the standard data processing clauses that nearly all employment contracts contain. The clause could be deleted and instead details given of the business’s privacy notice relating to employees.
Employers should have an up to date data privacy notice (which we will cover in a later update) explaining in detail how data is processed and what sort of data is processed.
If the consent clause is to be retained, be aware of the risks that consent may not be viewed as being freely given and consent could be withdrawn at any point.
There may well be occasions where consent is needed in specific situations. Examples would be when taking photographs for a website or to provide information to a potential mortgagor. If so, employers must be sure that any consent given meets the strict requirements of the GDPR. Clear records should be kept documenting the consent and how it was obtained from the employee.
In summary, relying on consent as the basis for processing data could prove to be difficult and if the employee refuses to give consent, it will be difficult to use another basis for processing. This could make managing sickness absence very complicated. Employees may also retract their consent as a tactic to slow down or even de-rail disciplinary action for example