GDPR: No comfort in blanket consent in Employment contract clauses

With GDPR fast approaching, senior associate Kathryn Evens and associate, Mark Searle, look at the issue of relying on consent in employment contracts for the purpose of processing employee data and what employers should be thinking about in preparation for 25 May 2018.

As highlighted in our previous Employment Bulletins, one of the biggest changes this year that employers need to be aware of (and be prepared for) is the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018. 

In order to process employee data under GDPR an employer will need to establish and communicate a "lawful basis" to do so. Traditionally, employers have typically sought to rely on consent from their employees in an employment contract as a lawful basis to process personal data. However over the last few years there has been a shift in the approach to this issue (led by other European jurisdictions), including a recognition that it is extremely difficult for an employer to obtain a valid "consent" from an employee.

In order to rely upon an individual's consent to the processing their personal data, the data controller, in this context the employer, will have to show that a data subject's consent is (amongst other things):

1. Freely given
2. Specific
3. Informed
4. Unambiguous

The requirements for a valid consent listed above are not new, but "consent" as a lawful basis to process data is subject to greater scrutiny under GDPR, and is the subject of clearer guidance from regulators (including the ICO). Recent regulatory guidance confirms that in virtually all cases, consent given by an employee to an employer will not be considered to be "freely given" due to the imbalance of power between an employer and an employee – the employee may feel that withholding consent would be to their detriment - nobody wants to be labelled a troublemaker or jeopardise their career by not giving "consent" to their employer. Similarly, the typical method of obtaining "consent" (signing an employment contract) prevents the consent from being considered to be "freely given" since employers would usually adopt a "take it or leave it" approach – there is no genuine choice available to the employee about whether or not to give consent.

Whilst the main problem with data protection consent in an employment context is the lack of genuine choice for the employee as set out above, it is important to note that there are typically also other challenges with existing employee consent language. For example it is usual to see a very broadly drafted consent which would not be "specific" and, similarly, it would be unusual to find that employees are given enough information about the processing of their data for any consent to be "informed".

One further issue to consider is that consent must be as easy to withdraw as it is to give. If you find yourself in a position whereby you would (or would need to) carry on with a particular type of data processing even if an employee tried to withdraw their consent, then consent is unlikely to be an appropriate lawful basis for the processing and you will need to consider an alternative.

So if you can't rely on consent as your lawful basis for processing, what can you rely on?

The reality is that most data processing in an employment relationship is likely to be justifiable on another lawful basis permitted under the GDPR such as:

• Processing necessary to the performance of the obligations under the employment contract – i.e. what do you need to do to employ someone and fulfil their employment contract. This would include processing employee data to pay their salary and to provide a safe working environment; or
• Relying on your legitimate interests as a business (provided always that these interests are not overridden by the rights of the individual employees). This may include outsourcing certain functions to a third party supplier (i.e. a payroll provider or third party IT vendor), or sharing employee data with a parent or group company

GDPR's transparency obligations require you to ensure that your employee-facing documents describe each type of processing that you carry out (including describing the legitimate interests that you are relying on where relevant). This can be set out in the employment contract or, more typically, in an employee-facing privacy notice or policy. 

But can I still use consent?

Yes, in some limited circumstances, you may still be able to rely on consent. For example, where the employee has a genuine, free choice about whether or not their data should be processed in a particular way such as choosing whether or not to have their images included in the employer's marketing materials.

In addition, you may need to obtain consent from employees when processing particularly sensitive personal data (such as health data, or data relating to religion or race etc.) when any such processing is not necessary for an employment law related purpose.

What should I do now?

You will need to review your data processing activities and identify the true legal basis for your processing of personal data (given that, even if your contracts refer to consent, this is unlikely in reality to be the lawful basis for most of your processing). If you have not done so already, you should review your contracts to check where you are currently attempting to rely on consent from your employees. If you have clauses which state that employees consent to the processing of their data, these should be removed, with a focus instead on meeting transparency-related obligations, including providing employees with clear information about the way that you use their personal data and your lawful basis for doing so

If you need any further assistance with this please do raise this with your usual contact in our Employment Team.