ICO opens consultation on consent under the GDPR

The Information Commissioner’s Office (ICO) is consulting on draft guidance on consent under the General Data Protection Regulation (GDPR).

The GDPR, which comes into effect in May 2018, sets a higher standard for consent to process personal data, by requiring that consent be freely given, specific, informed and clearly indicated by a statement or affirmative action.

The draft guidance explains when it will be appropriate to rely on consent to process personal data under the GDPR, the elements of valid consent, and how consent should be managed after it is obtained.

It also states that valid consent will be difficult to obtain in the employment context because of the imbalance of power between employers and employees.

It recommends that employers look for an alternative lawful basis to process employee personal data.

For example, employers may process employee personal data on the basis that it is necessary under the employment contract or to fulfill the legitimate interests of the employer.

The consultation closes on 31 March 2017.

Jo Pedder, interim head of policy and engagement at the ICO said: “The basic concept of consent, and its main role as one lawful basis (or condition) for processing, is not new.

“However the GDPR does set a high standard for consent. It builds on the Data Protection Act (DPA) standard of consent in a number of areas, and it contains significantly more detail on both the standard and processes for consent.

“Our guidance on consent explains our recommended approach to compliance and what counts as valid consent. It provides practical help to decide when to rely on consent, and when to look at alternatives. It also explains the key differences with the DPA and gives advice about existing DPA consents.”

XpertHR employment law editor, Qian Mou, said: “There has been uncertainty about whether or not consent could be relied on to process personal data in the employment context under the GDPR.

“This guidance will be helpful for establishing the ICO’s expectations on the use of employee consent. Employers should review their employment contracts and documents to ensure that, where necessary, they move away from relying on consent to process employee personal data before the GDPR comes into effect.”

The ICO aims to publish the guidance on consent in May 2017.

The GDPR comes into effect in the UK on 25 May 2018.