Will there be changes to the rules on obtaining consent to process personal data under the General Data Protection Regulation?

Yes, the General Data Protection Regulation (2016/679 EU) (GDPR) significantly restricts the use of consent as a justification for processing employee personal data.

Under the GDPR, consent must be freely given, specific, informed and unambiguous. It must be given by a statement or clear affirmative action. If consent is given through a written declaration, the request for consent must be clearly distinguishable from other matters and easy to understand. The individual has the right to withdraw his or her consent at any time.

For employers, the new requirements mean that generic consents (for example, those contained in the body of an employment contract) will not be a valid legal basis to justify processing employee personal data.

Further, in its draft GDPR consent guidance, the Information Commission's Office (ICO) has stated that consent will not be valid if there is an imbalance in the relationship between the individual and the organisation collecting the data. The ICO has said that this will make it difficult to obtain valid consent in the employment context and that employers should avoid relying on consent as a justification for processing employee personal data.

Employers will need to ensure that they have a valid legal basis for collecting employee personal data (ie processing is necessary to perform the employment contract, to comply with a legal obligation or for the legitimate interests of the employer). They should rely on consent as the legal basis for processing only if the employees have a genuine choice about whether or not to provide it and will suffer no consequences if they choose not to.

The GDPR will come into effect on 25 May 2018 and will apply directly in all EU member states. The Government has confirmed that the GDPR will be implemented in the UK as it will still be a member of the EU at that time.