Most readers will be aware that the EU's General Data Protection Regulation (GDPR) comes into force across all EU member states (including the UK), Iceland, Liechtenstein and Norway, on 25th May 2018. The headline – of really big fines for getting it wrong – has been noted by boards, but it's the detail that is beginning to matter. We've all only got a year to get in shape for some real changed practices.
Whilst obtaining consent from individuals to the processing of their personal data has always been one lawful basis (or under current law, condition) for processing, and so is not new, the GDPR sets a high standard for obtaining valid consent, which recruiters will need to consider, when processing personal data.
Under GDPR, consent is one of the six lawful grounds for processing personal data, and (as under the current law), consent can legitimise the use of special category (or 'sensitive') data.
Recital 32 of GDPR provides that, “Consent should be given by a clear affirmative act … such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
Consent is defined in Article 4(11) of GDPR as, “Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
And the recruiter must be able to demonstrate that the data subject has consented to the processing of his or her personal data (Article 7(1) of GDPR). So, recruiters must keep records to demonstrate consent (what the data subject has consented to, what they were told, and how and when the data subject consented), and must (according to the ICO's draft guidance), “Have an effective audit trail of how and when consent was given.”
Article 7(3) of GDPR provides that the data subject shall have the right to withdraw consent at any time. It should be as easy to withdraw it as it was for the data subject to give it. The data subject must be informed of their right prior to giving consent. Recruiters need to be ready to action withdrawal requests.
Article 7(2) provides that if the data subject's consent is given in the context of a written declaration that also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
So, for a recruitment business signing up a new candidate, the consent must be obtained in compliance with each of those rules, to be valid.
But here's the rub:
Article 7(4) of GDPR provides that, “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” Under the GDPR, consent cannot be a precondition of signing up to a service except if necessary for that service. So, to the extent that personal data is needed for the performance of a placement service, that is fine, but any extra data cannot be required to be given – qualifications and experience, yes, but what about hobbies, home phone number and not relevant qualifications (driving tests, PADi qualifications)?
According to the ICO’s guidance, "freely given" means that, "People must be able to refuse consent without detriment, and must be able to withdraw consent easily at any time. It also means consent should be unbundled from other terms and conditions (including giving granular consent options for different types of processing) wherever possible.”
Are you ready for GDPR?