GDPR: Employee’s Data, Consent?

With 25 May 2018 fast approaching and the implementation of the new General Data Protection Regulation (GDPR), our employment lawyer Charlotte Beeley shares with you some more important information regarding the new regulations;

GDPR: Is consent enough to allow employers to process employee’s data?

As part of our series of short blogs about the General Data Protection Regulations and what impact they will have on employers, we look at whether obtaining consent from employees to hold and process their data is enough.

One reason why data protection issues are not always at the forefront of an employer’s mind is that, under the existing legislation, data processing is easily justified by obtaining the data subjects consent. As this is routinely included in contracts of employment, employers have simply been able to point to the contracts as the basis for processing personal data belonging to their employees.

However, this easy arrangement will no longer be possible under GDPR, since GDPR will set a higher standard for obtaining consent to process personal data. Consent will need to be freely given, specific and information clearly indicated by a statement of affirmative action. The new definition includes a requirement that consent is unambiguous.

Therefore, if consent is given through a written declaration it must be clearly distinguishable from other matters and easy to understand. Consent now becomes ongoing and requires more active management and not simply a clause within the employment contract.

This means that the standard “consent to process data” clause that features in most employment contracts is unlikely to be sufficient, as the general wording in the clause will be insufficient to comply with GDPR requirements. The imbalanced bargaining position between employees and employers means it would be unrealistic to suggest that the employee has the right to make an informed choice about whether to accept this particular clause in their employment contract. Could a new employee realistically tell their new employer that they want their contract to be changed?

For consent to be a lawful reason for data processing under the GDPR, the individual must therefore be given the power to make an informed choice and should be an “opt-in” basis rather than an “opt out” basis.

As a minimum, employers who wish to rely on employee consent to processing data will therefore need to consider creating a separate consent form to be signed by employees for each processing activity. It might be possible to prepare one main consent form for all of the anticipated activities, with further forms being created should new processing activities become necessary, for example, if you need to use an employee’s data to refer them to occupational health.

It is therefore more important than ever to obtain detailed records to demonstrate when and how consent has been provided. If employers seek to rely on consent they will need to give enough information to employees/individuals to enable them to understand what they are consenting to and the extent of the processing which they are consenting to. If you ask employees to sign a declaration of consent, this must be provided in an intelligible and easily accessible form, using clear plain language and should not contain unfair terms.

Any separate consent document will also need to outline a mechanism for employees to withdraw their consent, which they have the right to do at any time. It should be as easy to withdraw consent as it is to give, so you must avoid putting unnecessary hurdles in the way of an employee who wishes to retract permission to process their data.

According to the ICO guidance, it will be particularly difficult under GDPR for employers and public authorities to rely on consent as the basis for processing because there will always inevitably be an imbalance of power in the relationship between the employee and employer that controls their data. Such imbalance means that consent cannot be “freely given”.

Getting consent wrong will have serious consequences for an employer including substantial fines and damage to reputation. Because of the difficulties in relying on consent, in most cases it will likely be easier and more transparent to use an alternative legal justification for processing data. This makes sense because some processing of data will be inevitable, even if the employee does not consent to it. For example, an employee may not want to give their general consent to processing their data, but their data will still need to be processed in order to pay them their salary and benefits. Having considered and recorded the justifiable grounds that such data processing is required to comply with legal obligations and/or perform the employment contract, an employer will be in a much safer position than if it was simply relying on consent.

GDPR is going to have a huge impact on the data stored and processed by employers about their employees and job applications. If you would like to attend one of our free GDPR: What are your obligations as an employer? Seminars, please contact us on This email address is being protected from spambots. You need JavaScript enabled to view it. or call us on 0161 926 9969 to sign up.

Mlp LawColour

MLP Law Limited

7 Market St,
Altrincham
WA14 1QE

Contact: Charlotte Beeley

Successful outcomes for you and your business

Add to Favorites

Isra Altayar, IA coaching, is excited to ann...

Read more
F68bc1606a499c66a1eabd66e99d6817 XS

Following a tried and tested format our 5th ...

Read more
8376aace7af18ea8cafa499d7e69a6ec XS

Isra Altayar graduated with a BSc in Psychol...

Read more
4653e069ed7369840191e8bf38ab8dc9 XS

Have you been invited to have a ‘prote...

Read more
1519e954ae6bd629544356cae3e51766 XS

How to keep cool and look good during a heat...

Read more
37e725efe26e0487bc83287a1c350936 XS

So many people go through life living for th...

Read more
3119c7be2ab58173062c39c6b8c72ed7 XS