GDPR – Is consent always required?
Processing data under GDPR
I had a brief chat with an associate yesterday about the forthcoming General Data Protection Regulation (GDPR) and the impact it will have on HR. Then I had a long Google session seeing if the same views were being given by others. I came away feeling concerned! Why? It seems that many people are getting really hung up on GDPR and that data subject consent is an absolute must for anything to do with personal data in the future – and if you don’t get that consent or if the consent is withdrawn then many current business practices will be impossible. So for instance:
- An employee may be having disciplinary action taken and tells you that they are withdrawing consent for you to hold their disciplinary data – so you can’t take and store notes etc.
- Explicit consent must be obtained from all employees for all data collected, processed and shared about them and a contract of employment can’t be relied upon to give consent.
If not consent, what?
Consent is not the only basis upon which personal data may be lawfully processed and The Information Commissioner, herself blogged about this in August to try to bust some myths. Under GDPR there are six provisions given in Article 6 for the lawful processing of personal data:
6(1)(a) – Consent of the data subject
6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
6(1)(c) – Processing is necessary for compliance with a legal obligation
6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6(1)(f) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
Data Protection Impact Assessments
What organisations have to do under GDPR is to determine which lawful basis is being used to process personal data and then clearly document that decision and the reasons which have led to making it. A data protection impact assessment will help with both the decision making and the documenting of it.
In the two, simplified examples given above, it is much more likely that legitimate interests is the basis for processing personal data about a disciplinary action, Article 6(1)(f), and dependant upon the personal data collected about employees and the type of employer any of the other provisions may be more applicable than consent for processing employees’ personal data.
So consent is not a prerequisite for collection of personal data and so fears that current business practices will be impossible are generally unfounded.
When an organisation has determined that consent, Article 6(1)(A), is the lawful basis for processing personal data then the ICO has a guidance document.
The special categories of personal data (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) are not covered by Article 6 and may only be processed as defined in Article 9 of the GDPR.
GDPR Preparedness Toolkit Seminar
This 2 hour seminar will help you, as you take your first steps towards compliance by sharing practical insights about implementing a data security based approach in line with the Regulation. You will learn about:
- Why you have to comply with the GDPR and what might happen if you don’t.
- The GDPR’s direct effect on your business and the transition timelines.
- The steps to take in preparing for compliance.
- The technical and organisational measures your business will need to adopt to comply with the Regulation.
- A key assessment toolkit you can use to help you to achieve compliance.
The seminar will be held at The Birch Hotel, Heywood with easy access to the M60, M62 and M66 on:
Wednesday, 27th September 2017, 14:00 to 16:15– SOLD OUT
- Wednesday, 25th October 2017, 14:00 to 16:15
- Wednesday, 29th November 2017, 14:00 to 16:15
Standard tickets are £25.00
Early Bird Discount tickets are £15.00 (available only if you book within 14 days of the seminar)
Contact us on 0345 319 4887 to book or book online with Eventbrite.