Employers may process personal data if they can rely on one of the five legal basis under the General Data Protection Regulation (GDPR).

How to gain consent

Traditionally, employers usually rely on obtaining an employee’s consent to process their data by means of a contractual clause contained in the employment contract. Under the old regime, consent was almost a ‘catch all’ basis.

Under the GDPR, the definition of consent has been made more stringent and now consent must be ‘freely given, specific, informed and unambiguous’ and must be ‘clear affirmative action’ or statement and in response to specific requests that detail what the consent is for.

ICO guidance

Obtaining consent for the processing of personal data has become harder within an employment context because the ICO has indicated that consent will not usually be appropriate where there is an imbalance of power – as there often is within an employer-employee relationship. The ICO also suggested in its guidance that a consent clause within a document relating to other information may no longer be adequate as consent must be separable from other written agreements and clearly presented.

In light of this, employers will most likely have to look to the other legal basis. These are:

  • For the performance of an employment contract
  • To protect the employee’s vital interests
  • For carrying out public functions
  • For the legitimate interests of the employer which discloses the personal data, if the employee’s fundamental rights and freedoms do not override those interests

From the above list, it is clear that relying on the lawful basis of necessity for the performance of an employment contract will be the most useful within an employment context. This would cover obtaining and processing data such as bank details for payroll purposes, sickness data and performance data.

It could also be sensible to rely on ‘the legitimate interests of the employer’ but you must be clear about the assessment that you have done in weighing up the employer’s legitimate interests with the employee’s fundamental rights and freedoms.

What should HR professionals do?

  • Review any contractual clauses with regards to consent to processing data and consider varying the contracts by revoking the consent clause and issuing letters stating what legal basis you will be relying on in the alternative
  • Ensure you are clear about the grounds of lawful processing that you are relying on currently and that
  • When you are relying on consent as the basis of lawful processing, you must ensure that:
    • Consent is still active and does not rely on silence, inactivity or pre-ticked boxes
    • Consent to processing data is clear, unambiguous and not contained within another written agreement with other declarations
    • Employees feel no pressure to provide consent by making it contingent or dependent on the performance of the contract
    • Employees are informed of their right to withdraw consent at any time and that there are simply ways of withdrawing consent
    • Separate consents are obtained for each processing operations
    • Consent is not relied upon where there is a clear imbalance of power.