GDPR for HR: When (and when not) to use consent as a lawful basis
Est. Read Time: 3 min.
Of all the lawful bases a company can have for processing employee data under GDPR, consent can be a tricky one. Just look to Facebook and the Cambridge Analytica incident. Facebook faces controversy for failing to protect personal data and not being fully transparent around how data could be shared with third parties. As a result, governments around the world are investigating the company and users are dropping the service.
As an HR professional, if you’re currently relying on blanket consent to collect personal data, you may want to reconsider this approach. The GDPR sets a high standard for using consent as a legal basis, making this strategy risky and an administrative burden. However, the good news for HR is that you don’t need to rely on consent if you’re collecting data strictly for day-to-day HR operations. In this case, a legal or contractual obligation will typically cover you.
When not to use consent as a legal basis
Consent alone isn’t indisputable proof that employees wholeheartedly agreed to have their data tracked, especially because of the inherent imbalance of power between employee and employer. Add the GDPR’s strict requirements for using consent and you can see why it’s better to collect data under another documented legal basis instead.
Generally, another legal basis will apply if the data you’re collecting is necessary for:
- The performance of a contract (e.g., data that makes it possible to pay an employee)
- Compliance with legal obligations
- The interests of the employer (except when they’re overridden by the interests or rights of the employee)
Once you determine an appropriate legal basis for collecting HR data, best practice is to document the purpose and inform employees with a formal acknowledgement prior to collecting the information. What doesn’t count as a legal basis? According to the U.K.’s Information Commissioner’s Office, if you can reasonably achieve the same goal without processing the data in question, you won’t have a lawful basis.
When to use consent
In some instances, consent may be a better fit. For example, you may want to use photos of employees taken during an office photo session. When using consent as a basis, make sure that consent is:
- Opt-in: You cannot use pre-ticked boxes or infer consent through inactivity
- Specific: Each purpose needs its own consent forms
- Explicit: Eliminate any confusing, unclear or jargon-heavy language
- Separate: You can’t combine consent to data processing with other terms and conditions
- Freely given: Employees must feel free to object to having their data collected and cannot suffer any consequences to denying such consent (e.g lower bonuses or performance reviews)
- Easily withdrawn: You must provide an easy way for employees to withdraw consent at any time
- Documented: You’ll need to keep record of who, when, how, and what you told people regarding consent.
What to do before the deadline
Prior to the May 25th deadline, review all your processes and policies for collecting employee data. Start by ensuring there’s a legal basis or contractual requirement for the data you collect. For cases that rely on obtaining consent, make sure you can prove that consent has been freely given and that refusal has no impact on an individual’s employment.
What comes next?
Reviewing your consent process is one of many steps to take for GDPR compliance. What else do you need to think about? We walk you through the entire process of GDPR compliance in our new eBook, The GDPR Compliance Workbook for HR: A Practical Guide for Building an Actionable Compliance Plan.
You May Also Be Interested In:
About Jolene Nicotina
Jolene Nicotina is the Content Marketing Manager for North America at PeopleDoc, Inc. She works on making sure HR professionals have all the latest information they need related to HR service delivery, HR technology, and PeopleDoc, Inc. Prior to PeopleDoc, Jolene worked in marketing communications for the healthcare technology industry.