With GDPR, having staff provide written consent to use their data may not be sufficient

Many companies may be forced to not only change the way they process data, but under GDPR regulation they may even have to re-think some of the core assumptions they have made in the past.

Not so long ago, if you were taking out a loan or a new credit card, you would have been urged to also take out a policy to insure you in the event that you lost your job, so you could carry on making payments. You weren’t necessarily forced to take out PPI, but maybe you felt it was an unspoken condition of the loan. As we all know, banks had to pay a huge price for their approach to PPI. If PPI taught us anything, it is that consent, even if it is apparently freely given, may not be enough.

Under the new General Data Protection Regulation (GDPR), coming into force on May 25th 2018, employers may have to totally re-think the way they collect and process data related to staff.

Some employers may be tempted to assume that all they have to do is get employees to sign a document giving permission to their employer to make use of their data. But this may not be enough.

The ICO, the UK regulator charged with ensuring compliance to the Data Protection Act, and now GDPR, states: “If for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing. This may be the case if, for example, you are in a position of power over the individual – for example if you are a public authority or an employer processing employee data".

In short, just as was the case with PPI, consent may not be enough.

And when consent is given it must be “freely given, specific, informed and unambiguous,” says the ICO. The employee must be given a genuine choice when consenting to the use of data.

Given the asymmetrical nature of the relationship between employer and employee concerning consent, the ICO says: “If you are processing employee data... you should look for another basis for processing such as….'legitimate interests.’”

And the fines that could be applied to companies that are deemed to have not complied with GDPR are potentially enormous - 4 per cent of turnover.

In practice, this means that the employer, (the data controller) needs to apply certain practices when dealing with data related to employees (data subject.)

To comply with GDPR the data controller must provide data in a way that is:

  • concise
  • transparent
  • intelligible
  • easy to access
  • distinct from other arrangements from the data subject
  • written in clear precise language.
And the employer must keep the employee informed before data is collected or changed.

There is however, the potential of future disagreements between an employer and employee, at which point an employee might argue consent was not given freely. GDPR itself states that the employer needs to ensure that the data it collects and processes must be “adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.”

To this end the employer needs to focus on:

  • the amount of data
  • the extent of the data
  • and the time frame in which it is held
If conditions change and the original purpose for which the data was collected is no longer relevant then it may need to be deleted.

There is also the issue of security and integrity of data. The employer must apply appropriate procedures and technology to protect the data.

And finally, there is the right to be forgotten, the data subject can request data held is removed.

To find out more about GDPR check out the next GDPR Summit London