- People
- Expertise
Our expertise
We are a team of more than 500 professionals, with the depth of experience which makes us genuine experts in our fields. Together, gunnercooke’s people have strength across just about every corporate discipline and sector. We provide legal, commercial and strategic advice that delivers real value to the clients we work with, which span from multinational enterprises through to unicorns and non-for-profit organisations. Our breadth of expertise covers some of the most interesting and important emerging disciplines, from ESG and charity law, to blockchain and competition.
Search by practice areaDispute ResolutionDispute Resolution OverviewMeet the Dispute Resolution TeamIntellectual Property DisputesFinancial Services & FinTech OverviewProceeds of CrimeEmployment TribunalTax InvestigationProperty Dispute ResolutionInsolvency DisputesMediationCivil Fraud & Asset TracingHealth & SafetyBusiness Crime & InvestigationsLitigation & ArbitrationInternational Arbitration - International
International Offices
gunnercooke has 12 offices globally including the UK, Scotland, US, Germany and CEE, with further plans for growth in the coming years. These offices enhance the existing in-house capability of our dedicated international teams and dual-qualified experts that cover China and Hong Kong, Spain, France, Italy, Brazil and Portugal. Our team has experience working across 101 different countries, speaking 30 languages and are dual-qualified in 15 jurisdictions. Our expertise means we can offer large teams to carry out complex cross-border matters for major international clients.
- Our story
Our story
gunnercooke is the fastest growing corporate law firm in the UK, now making its mark globally. We comprise a rapidly growing number of experts spanning legal and other disciplines. Clients benefit from flexible options on fees to suit their needs, access to a wider network of senior experts throughout the relationship, and legal advice which is complemented by an understanding of the commercial aspects of running a business.
- Reading Room
- News & Insights
The Countdown to GDPR: processing of personal data and acquiring consent
General Data Protection Regulation (GDPR) comes into force on 25th May 2018. In order to comply businesses have started to implement compliance strategies to mitigate the risk of an enforcement action.
In our last blog we considered the initial steps businesses should take to make compliance with the GDPR as painless as possible, starting with understanding what personal data is held by the business, where it’s stored or used i.e. processed, and why the processing of personal data is necessary. Once this ‘map’ of the flow of data within the organisation is discovered, we would begin the next step. We’d recommend understanding where there may be a risk of non-compliance with the GDPR.
Processing of personal data
For many businesses, the processing of personal data will most likely be in relation to contact information. It would therefore be sensible to begin a review of GDPR compliance by focusing on these fields.
The data protection principles which are set out under the existing data protection regime state that the processing of personal data should not take place unless one of the specified conditions are met. The most widely used processing condition in the UK is that the data subject has provided personal data, thus enabling businesses to begin the processing.
Significant numbers of businesses in the UK have relied upon this provision of personal data as a justification of consent for the processing of this data for many years. Often, personal data is obtained on the basis that it is “implied” from the behaviour of the data subject e.g. the provision of an email address when accessing a “free WiFi” system in a pub or restaurant. One of the key changes to be implemented by the GDPR is an alteration to the definition of “consent”, making it much more difficult to rely upon consent as a justification for processing.
Previously obtained consent from employees
Many businesses have previously obtained consent from employees by issuing an employee privacy statement, which new starters are required to sign. These statements are usually drafted in broad terms and are relied upon by businesses as the basis for consent for the processing of employee personal data. However, consent which has been obtained in this way will not comply with the GDPR.
Article 4(11) of the GDPR requires consent to be “…freely given, specific, informed and unambiguous…” and specifies that consent must be evidenced by “…a clear affirmative action [which] signifies agreement to the processing of personal data…”.
The condition that consent should be “informed” will therefore require businesses to fully communicate the terms of the agreement when obtaining consent from the data subject at the time when the consent is provided.
Differing types of consent
Draft guidance issued by Article 29 Working Party in December 2017 states that use of the term “specific” in the new GDPR definition of consent will require businesses to obtain different types of consent for different processing activities.
Going forward, when a business processes employee personal data in different activities i.e. payroll, health records, disciplinary records, contact details for next of kin etc., it will be necessary to have specific consent for each activity.
This view is supported by the provisions in Recital 42 of the GDPR, which requires that the data subject should understand the intended purpose of the processing at the point of providing consent. If your employee privacy statement adopts the traditional “you consent to allow us to do what we want with your personal data” approach, it will require a significant review and overhaul.
Withdrawing consent
Article 7(3) of the GDPR provides that data subjects will have the right to withdraw their consent to the processing of personal data at any time. This will mean that where consent is usually obtained via a sign up / opt in via a company website, that same website should also offer the data subject the opportunity to withdraw consent in a similar way to which consent was originally provided.
If consent is withdrawn, businesses will need to immediately end all processing activities with immediate effect. For businesses that rely upon the consent of employees to undertake data processing, this will mean that there is a risk that consent may be unilaterally withdrawn creating an immediate compliance problem. It is not difficult to foresee that this could become a tactical response for disaffected employees in times of stress for example, during a dispute or disciplinary process.
Alternative processing conditions
Given the changes to the definition of consent and the possibility that consent may be unilaterally withdrawn at any time, we are recommending that businesses consider whether it may be preferable to avoid relying upon consent as a processing condition.
One option may be to rely upon the performance of a contract to which the data subject is a party as an alternative processing condition. This processing condition is not dependent upon the agreement of the data subject, and therefore cannot be unilaterally terminated unless the contract ends and should be straightforward to document where the data subject is an employee.
This type of strategic approach to managing GDPR compliance will be most successful for businesses which are proactively reviewing their position in advance of the new legislation and with the clock ticking towards the 25th May, it is important to begin to take steps immediately.
By Employment and Privacy Law Partner, Carl Atkinson
If you have any further questions with regards to GDPR contact Carl Atkinson, Employment and Privacy Law Partner, who will provide more guidance where necessary.
