August 15th, 2017 | Sterling

GDPR: Consent & Legitimate Interest

Sterling is offering a 10 part webinar series about the changes to the way personal data is protected in the European Union when the EU General Data Protection Regulation (GDPR) applies on 25 May 2018. The first webinar in the series, “What You Need to Know with 12 Months to Go” introduces the changes to come. The second webinar in the series, “Consent & Legitimate Interest”, available on demand, was presented by Oran Kiazim, Vice President of Global Privacy and Beatriz Torets-Ruiz, Privacy Analyst & Legal Researcher.

The GDPR or General Data Protection Regulation is an EU law which regulates the collection, use, disclosure and processing of personal information of individuals in the EU. The GDPR will replace existing European legislation, such as the UK Data Protection Act 1998, and introduces new requirements and additional burdens on European businesses. It also alters existing concepts, which means that businesses will need to review their existing processes to make sure they are compliant.

What the GDPR Says About Consent

Consent is a major component of many privacy laws around the world and, in the case of the EU, will be impacted by the GDPR. Article 4(11) GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” There are many aspects of consent, but the main criteria under the GDPR describes it as being freely given, specific, informed,  unambiguous, has affirmative action and refers to “any…indication of…wishes”.

How Will Consent Change Under the GDPR?

There are changes to the components of consent and how it will be treated in the GDPR. The conditions for obtaining consent will ultimately become stricter than the current Data Protection Directive (95/46/EC). The consent changes in the GDPR are:

• Allows an individual the right to withdraw consent at any time and as easily as they provide it
• Presumes that consent will not be valid unless separate consents are obtained for different processing activities For example: if you intend to collect someone’s information to run a background check, and send them marketing messages and provide them with separate services, you will need separate consents. You can’t bundle it all together.
• Presumes that forced or “omnibus” consent mechanisms will not be valid
• Children will be treated Parental or guardian consent is needed for children aged 13-15.

Consent in the Employment Context

For consent to be valid, it must be freely given. It is the individual’s real choice. There is no deception, intimidations, coercion or significant negative consequences. Under the GDPR, consent is not considered freely given if:

• The data subject has no genuine or free choice when consenting to the processing
• Is unable to refuse or withdraw consent without detriment, or
• There is a clear imbalance between the data subject and the controller

Regulators often consider consent to be a weak (and sometimes inadmissible) legal ground for processing personal information in the employment context. They consider that a candidate could fear being treated differently, even lose the job opportunity, if he/she does not agree to the background check. If this was the case, consent could not be considered freely given. Also, in the event a candidate withdraws consent and the data processing can continue based on another legal ground, then doubts could be raised as to why consent was used as the legal ground for processing to begin with. This would be the case, for instance, when a candidate’s explicit consent is being used as the legal ground to check his or her criminal record, when having a clean record is a legal requirement for the position the candidate is applying for.

Legitimate Interest as an Alternative to Consent for Background Screening

Data protection authorities, such as the UK’s Information Commissioner’s Office (ICO), recommends that employers look for an alternative lawful basis to process candidate’s and employees’ personal data other than consent.

While the GDPR has not substantially changed the concept of “legitimate interests,” for private organizations, there is an increased requirement for transparency on the reasons that justified relying on the legitimate interests condition. Article 6(1)(f) GDPR introduces a balancing test by which businesses must balance their legitimate interest to process the candidate or employee’s data not only against the rights of the candidate or employee but also the candidate’s or employee’s interests – irrespective of whether they are legitimate or not.

The GDPR also introduces a specific and enhanced right to object to processing based on legitimate interests, which means the burden now lies on the company to prove they have compelling grounds to continue processing the data. This can lead to the exercise of rights to restrict and erase data. Due to these requirements, when a company has decided that there is legitimate interest to subject a candidate to a background screening they should:

• Maintain records of the company’s assessment of that legitimate interest, to show they properly considered the rights of data subjects when conducting the balancing exercise
• Update the organisation’s privacy notices to set out which legitimate interests they rely on when processing the candidate’s information for background screening purposes
• Remember the candidate’s enhanced right to object which means a company can only reject the candidate’s objection if they can provide “compelling” reasons

Compliance Action Plan

At Sterling, we are strong advocates of companies adopting a background screening policy, which is – incidentally – the best place to demonstrate your assessment of the balancing exercise between the organization’s legitimate interest and the individual’s privacy rights. When creating a GDPR compliance plan, an organization must identify the ground(s) on which you collect personal information for your background screening programme.

• If you use a consent model, determine whether consent is still appropriate or whether another legal ground is more suitable. If you choose to follow a consent process:
  • Ensure that consent is active
  • Ensure that consent is not bundled together with other declarations
  • Ensure you capture separate consent for different activities/purposes
  • Ensure that candidates are told that they have the right to withdraw their consent at any time and can do so easily
• If you choose to follow the legitimate interest path:
  • Ensure you conduct (and document) a balancing exercise when relying on legitimate interest
  • Include your legitimate interest in the privacy notice displayed to employees and candidates

Please note: Sterling is not a law firm. The material available in this publication is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs.

Sterling has been planning for the GDPR changes that will affect the background screening industry since 2016. One way to stay up-to-date on the GDPR changes and make sure that your organization is compliant is to sign-up for the Sterling webinar series. We are offering 10 On-Demand webinars this summer to tackle the many aspects of the GDPR from privacy notices to candidate rights. Sign up today for our next webinar about GDPR and Privacy Notices.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.