The GDPR, which comes into force on 25 May 2018, means that consent needs to be specific, informed and freely given.
That means employees should have a genuine choice as to whether or not to consent to the processing and should be able to refuse or withdraw consent freely.
Most employer processing activities will fall under the ‘lawful purposes’ definitions but, in accordance with the new accountability principles, an employer needs to be clear from the outset of the lawful purpose on which they are relying, and should keep a record of this.
GDPR lawful purposes for ordinary personal data include processing on the basis of:
- legitimate interest of the data controller;
- necessity for the performance of a contract;
- compliance with a legal obligation;
- protecting the vital interests of the data subject
- necessity for the performance of a task carried out in the public interest.
If an employer is relying on consent for any aspect of employee data processing, then they need to ensure that:
- consent is a separately agreed ‘opt in’ (not contained in terms and conditions of employment). It must not be vague and must be refreshed every two years;
- consent is specific to the data in question and what the employer is using it for;
- if the employer is sharing the data, each third party is named and specific consent is sought;
- the employer advises that consent may be withdrawn and how to do this;
- the employer keeps specific records regarding consent to demonstrate compliance.
Subject access data requests
Under the GDPR, subject access request (SARs) will entitle employees to more detailed information regarding the way in which their data is processed, will reduce the time limits for the employer’s response and will abolish the current £10 fee for responding to a SAR.
Employers are currently obliged to comply with a SAR within 40 days of the request.
The GDPR will require employers to comply without undue delay and at the latest within 30 days, although this can be extended for up to two additional months for particularly complex or numerous requests.
It may be possible to request a reasonable administration fee where the SAR is ‘manifestly unfounded or excessive’ however guidance is limited on what this will cover.