Will there be changes to the rules on obtaining consent to process personal data under the General Data Protection Regulation?
Yes, the General Data Protection Regulation (2016/679 EU) (GDPR) significantly restricts the use of consent as a justification for processing personal data, including employee personal data.
Under the GDPR, consent must be freely given, specific, informed and unambiguous. It must also be given by a statement or clear affirmative action. If consent is given through a written declaration, the request for consent must be clearly distinguishable from other matters and easy to understand.
For employers, the new requirements mean that generic consents (for example, those contained in the body of an employment contract) will not be a valid legal basis to justify processing employee personal data.
Further, in its draft GDPR consent guidance, the Information Commission's Office (ICO) has stated that consent will not be valid if there is an imbalance in the relationship between the individual and the organisation collecting the data. The ICO has said that this will make it difficult to obtain valid consent in the employment context and that employers should avoid relying on consent as a justification for processing employee personal data.
If they cannot obtain consent that meets the requirements under the GDPR, employers will need to ensure either that they have a valid alternative justification for collecting employee personal data (for example, processing is necessary to perform the employment contract, or is necessary for the legitimate interests of the employer or employee).
The GDPR will come into effect on 25 May 2018 and will apply directly in all EU member states. The Government has confirmed that the GDPR will be implemented in the UK as it will still be a member of the EU at that time.