The Countdown to GDPR: processing of personal data and acquiring consent
February 22, 2018
By Employment and Privacy Law Partner, Carl Atkinson
With less than 100 days until the General Data Protection Regulation (GDPR) comes into force on 25th May 2018, businesses have started to implement compliance strategies to mitigate the risk of an enforcement action under the new system.
In our last blog we considered the initial steps businesses should take to make compliance with the GDPR as painless as possible, starting with understanding what personal data is held by the business, where it’s stored or used i.e. processed, and why the processing of personal data is necessary. Once this ‘map’ of the flow of data within the organisation is discovered, the next step we’d recommend would be to understand where there may be a risk of non-compliance with the GDPR.
Processing of personal data
For many businesses, the processing of personal data will most likely be in relation to either employee records or marketing and client contact information. It would therefore be sensible to begin a review of GDPR compliance by focusing on these fields.
The data protection principles which are set out under the existing data protection regime state that the processing of personal data should not take place unless one of the specified conditions are met. The most widely used processing condition in the UK is that the data subject has provided personal data, thus enabling businesses to begin the processing.
Significant numbers of businesses in the UK have relied upon this provision of personal data as a justification of consent for the processing of this data for many years. Often, personal data is obtained on the basis that it is “implied” from the behaviour of the data subject e.g. the provision of an email address when accessing a “free WiFi” system in a pub or restaurant. One of the key changes to be implemented by the GDPR is an alteration to the definition of “consent”, making it much more difficult to rely upon consent as a justification for processing.
Previously obtained consent from employees
Many businesses have previously obtained consent from employees by issuing an employee privacy statement, which new starters are often required to sign as part of their induction. These statements are usually drafted in broad terms and are relied upon by businesses as the basis for consent for the processing of employee personal data. However, consent which has been obtained in this way will not comply with the GDPR.
Article 4(11) of the GDPR requires consent to be “…freely given, specific, informed and unambiguous…” and specifies that consent must be evidenced by “…a clear affirmative action [which] signifies agreement to the processing of personal data…”.
The condition that consent should be “informed” will therefore require businesses to fully communicate the terms of the agreement when obtaining consent from the data subject at the time when the consent is provided.
Differing types of consent
Draft guidance issued by Article 29 Working Party in December 2017 states that use of the term “specific” in the new GDPR definition of consent will require businesses to obtain different types of consent for different processing activities.
Going forward, when a business processes employee personal data in different activities i.e. payroll, health records, disciplinary records, contact details for next of kin etc., it will be necessary to have specific consent for each activity.
This view is supported by the provisions in Recital 42 of the GDPR, which requires that the data subject should understand the intended purpose of the processing at the point of providing consent. If your employee privacy statement adopts the traditional “you consent to allow us to do what we want with your personal data” approach, it will require a significant review and overhaul.
Article 7(3) of the GDPR provides that data subjects will have the right to withdraw their consent to the processing of personal data at any time. This will mean that where consent is usually obtained via a sign up / opt in via a company website, that same website should also offer the data subject the opportunity to withdraw consent in a similar way to which consent was originally provided.
If consent is withdrawn, businesses will need to immediately end all processing activities with immediate effect. For businesses that rely upon the consent of employees to undertake data processing, this will mean that there is a risk that consent may be unilaterally withdrawn creating an immediate compliance problem. It is not difficult to foresee that this could become a tactical response for disaffected employees in times of stress for example, during a dispute or disciplinary process.
Alternative processing conditions
Given the changes to the definition of consent and the possibility that consent may be unilaterally withdrawn at any time, we are recommending that businesses consider whether it may be preferable to avoid relying upon consent as a processing condition.
One option may be to rely upon the performance of a contract to which the data subject is a party as an alternative processing condition. This processing condition is not dependent upon the agreement of the data subject, and therefore cannot be unilaterally terminated unless the contract ends and should be straightforward to document where the data subject is an employee.
This type of strategic approach to managing GDPR compliance will be most successful for businesses which are proactively reviewing their position in advance of the new legislation and with the clock ticking towards the 25th May, it is important to begin to take steps immediately.
If you have any further questions with regards to GDPR contact Carl Atkinson, Employment and Privacy Law Partner, who will provide more guidance where necessary.