HR data and GDPR: what you need to know about consent (and why not to rely on it)
The upcoming General Data Protection Regulations (GDPR) has significant implications for HR and has, understandably, grabbed the headlines recently.
Predictions of hefty fines for employers abound. These are often attributed to the higher standard of consent for processing personal data that the legislation requires.
It is true that with the new legislation, which comes into force in May 2018 and covers employees in the EU, larger fines can be imposed: up to 4% of an organisation’s annual worldwide turnover or €20 million, whichever is greater, for serious breaches.
It is also true that the legislation imposes some new requirements on employers in respect of how they manage and secure the information they hold about their employees, what they need to document and the access they provide to it.
However, when it comes to collecting and processing employee data, a reading of the regulations indicates that the focus on consent is misleading and could, in fact, be damaging.
Consent: why not to rely on it for processing HR data
Under GDPR, consent must be freely given, specific, informed and unambiguous. It must be verifiable, shown by a clear affirmative action, and there must be a simple way to withdraw consent.
At first glance these requirements seem just as relevant to employee information as data gathered in virtually every other sort of relationship. In fact, as responsible employers, we may well feel that this level of transparency and collaboration is a bonus and a great basis for employee engagement and trust.
However, relying on a consent-led approach to gathering and processing the majority of employee-related data in an employment context is in our view:
- out of step with general employment law
- administratively likely to be highly complex to manage
- potentially problematic in the wider context of your obligations to your employees, as well as your ability to help the business run effectively
- for the most part, not required by the legislation.
Let me explain.
In an employee/employer relationship, it has long been accepted in law that one of the parties, the employer, has the upper hand.
An employee may feel that by refusing consent to information requested by their employer they put their employment relationship in jeopardy. That means that in legal terms, it is arguable that consent is not freely given.
Then there’s the question of how you gain consent. Here the phrases specific, informed, unambiguous and verifiable provide the clue.
A general catch all phrase in your employment contract is not enough, nor is a default opted-in check box. In fact, taking this to its logical conclusion, it could mean that each time you ask an employee to complete, update or even check their information, you’d need to explain why you are gathering it, what you’ll use it for and give them the option to refuse consent.
An employee may feel that by refusing consent to information requested by their employer they put their employment relationship in jeopardy.
This leads to the key issue. What happens if consent is withdrawn?
For example, if specific written consent is sought to process data such as training needs or performance appraisals, the organisation should be prepared to do without any such processing for employees that decline to consent or withdraw consent after having given it, or potentially fall foul of the law.
To put it differently, asking for consent could be construed as an admission that such processing wouldn’t be lawful without it, which could have unpleasant consequences.
Lawful basis: as the alternative to consent
Instead, employers have the option to rely on legitimate business interest, or as specified in the regulations ‘other lawful basis’. These include:
- where process is necessary for the performance of a contract with the data subject or to take steps to enter into a contract. 6(1)(b)
- where processing is necessary for compliance with a legal obligation. 6(1)(c)
- where processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. 6(1)(f)
(You can find more information on the above on the ICO website here).
It’s relatively straightforward to see these clauses cover most of your day-to-day HR operations.
How do you contract with, or pay, employees unless you can gather information about where they live, their bank details and national insurance numbers, holiday entitlements, hours contracted and worked, sick leave taken etc.
Is it possible to fulfil your legal obligations without data on their right to work, when they move home, visa expiry, required qualifications, health and safety incidents, disabilities etc.?
What would be the impact on your business if you can’t keep track of employee performance, grievance and disciplinary issues, map out succession plans, or manage any of the other HR-related activities designed to ensure the continuity, growth, and long-term success of your organisation?
Consent: when you may need it
Consent would however be required if the processing goes beyond legitimate HR operation.
For example, if the company intends to use the personal data of employees to promote third party services, even when this is done in the context of offering benefits such as discounts negotiated by the company for all employees or of improving the employees’ wellbeing.
The same goes for the collection of data about employees which are not strictly related to legitimate HR operation; as an example, keeping track of who is overweight, while done in good faith with the intent to help the employee, would not be lawful unless the organisation has legitimate organisational reasons to monitor or control their employees’ weight.
For this kind of data processing, consent would be required, and it would have to be specific, with the kind of data and the use made clearly spelled out.
Conclusion: so, what should HR do now?
The conditions that make processing of personal data lawful even without consent have not materially changed from the formulation contained in the current law (Data Protection Act 1988).
The GDPR is not stricter on this aspect than the current Data Protection Act. This means that if not relying on consent was legal before the GDPR it continues being legal with it – subject of course to any additional legislation enacted at a country level.
This doesn’t mean that as an employer – or an HR practitioner – you can ignore GDPR in the context of your employee data.
There is plenty that still needs to be done to ensure compliance (and avoid those hefty fines the headline writers are so fond of).
The ICO provide a handy check list of key activities, which include documenting what personal data you hold, where it comes from and who it is shared with, as well as ensuring that data is appropriately protected.
For organisations still relying on spreadsheets or paper-based files, both of which are notoriously difficult to keep secure, now could be the time to move to a modern, secured HR system, like Cezanne HR.
With the advent of cloud-based HR software, these systems are widely available, and affordable to companies of every size.
It's also worth noting that the ICO flags up that GDPR introduces a new best practice recommendation that, where possible, organisations should provide remote access to a secure self-service system, which would provide the individual with direct access to his or her information.
Please note: this article is based on our understanding of the requirements of GDPR and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation. You should refer to the legislation and, if in doubt, work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.