A lot has been written about the General Data Protection Regulation (GDPR) coming into force across Europe on May 25, and with just two months to go ’til it finally takes effect, there is still confusion around the need for consent. So much so that Elizabeth Denham, the UK’s Information Commissioner (ICO), recently made it the subject of a myth-busting blog post.
The myth is that if you want to process a person’s data, you must have their consent. But consent is only one of the lawful reasons why you are allowed to process personal data, and in many situations, it may not be appropriate.
Consent puts the individual in control of the use of their data and should only be relied on where they have a genuine choice as to whether you process their personal details or not. The problem with consent is it can be withdrawn, and if your processing is necessary for reasons other than providing a service to the individual, then you should choose one of the other six lawful bases listed in Article 6(1) of the GDPR.
PREMIUM CONTENT: A Guide to Implementing the GDPR
Consent and Staffing
Consent is a particular problem for temporary staffing because, first there is an imbalance in the employment relationship – if you want the job, you must consent. And second, as a staffing business, you will need to undertake a number of activities involving the processing of personal data relating to workers. These will include forwarding their details to a client and/or an MSP, operating payroll, using workforce data for analytical purposes and maintaining a database of past, present and potential workers.
In these circumstances, the grounds for processing will be one of the three other most relevant lawful bases permitted by the GDPR. These are that processing personal data is necessary for the performance of a contract with the worker, or to comply with a legal obligation, or that it is necessary for the legitimate interests of your business.
Where you do rely on consent, say in the context of providing recruitment services to work-seekers, the requirements for obtaining valid consent are of a much higher standard under the GDPR.
No simple opt-out. In the past, organizations have almost routinely issued or posted a notice stating what they intend to do with your data and asking you to opt out if you do not want your data used in that way. In the future, reliance on a pre-ticked ‘opt out’ box will not cut it. Consent will have to be explicit, confirmed in words rather than by inaction and must be freely given.
Standalone. In addition, consent requests must be separate from any other terms and conditions and if consent is required for several different activities, then the individual must be given the option to consent separately to different types of processing.
Right to withdraw. You must inform the individual of their right to withdraw their consent and give them simple and effective means to do so.
Of course, even if you choose another lawful basis for your general processing of personal data, there are activities for which you may still need to obtain explicit consent. Explicit consent can legitimize automated decision-making, including profiling and it can also legitimize processing of special category data relating to one’s racial or ethnic origin, political, religious or philosophical beliefs and data concerning health. You are also likely to need consent under ePrivacy laws for most marketing calls or messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices.
Remember that even if you are not asking for consent, you will still need to provide clear and comprehensive information about how you use personal data in the form of a Privacy Notice. One of the requirements for such notices is that you state the lawful basis for processing data. So, it is important to think carefully when drafting the notice, and choose the basis that most closely reflects the purpose of the processing.
As the draft guidance on consent issued by the UK’s ICO puts it “Handling personal data badly – including relying on invalid or inappropriate consent – can erode trust in your organization and damage your reputation”. It can also lead to substantial fines.
For further information on compliance with GDPR refer to our report “Implementing GDPR: A Guide” published last week.
