Lawyer warns employers that the GDPR mean they must re-think their approach to consent clauses in employment contracts

Kent’s leading employment law specialists have warned employers and HR professionals not to rely on consent clauses to govern the collection and processing of employee data once the GDPR comes into effect.

Many firms rely on generic consent clauses in employment contracts to cover data processing of their employees, but such clauses will not meet the requirements of the new General Data Protection Regulations (GDPR) which come into force on 25 May 2018.

Consent clauses of this nature are unlikely to be fit for purpose when the GDPR comes into force, because under the new regulations the requirements to obtain consent from individuals to process their data are much more stringent.

Under the GDPR, consent must be ‘freely given, specific, informed and unambiguous’; due to the imbalance of negotiating power between employer and employee, generic consent clauses will not meet the requirement that consent be freely given. Put another way, ‘consent’, as a basis for data processing, should do what it says on the tin; and be used only when people have a real choice in whether or not their data is processed.

Even when the employee has given their consent, employers will still need to beware; the GDPR also gives employees the ‘right to be forgotten’, meaning that they can legitimately decide to remove their consent to the processing of their data at any time and request that the data is immediately destroyed or deleted.

Employers therefore need to look to other lawful grounds for the processing of HR data and avoid relying on the use of consent clauses. Most legitimate HR activities relating to the processing of personal data are covered by Article 6 (1) of the GDPR, which sets out the lawful bases for using such information.

What employers should ideally be doing is looking at the HR data they process and asking themselves what the reason is for the processing of such data and whether it falls into one of the categories listed in Article 6. A useful starting point is to map such data at each stage of the employment cycle, and consider the reason it is needed, where it is held, how it is processed, and for how long.

Essentially, this is what the GDPR requires, a more proactive approach to data processing, one which is transparent and fair.”

Furley Page will be covering the GDPR at its forthcoming employment law seminar on 19 April 2018 at the Mercure Maidstone Great Danes Hotel. The workshop will cover a range of employment law topics, including current developments in employment law and the likely impact on companies’ workforces, GDPR for HR and practical guidance on how to prepare for changes. The subject matter is suited to all employers, no matter the size of their workforce and includes an extensive question and answer session.