In the first of our GDPR Bitesize series we discuss a significant issue for HR: the justification for processing personal data.

Given the huge volumes of personal data that HR departments deal with, this is a particular concern. Many employers currently seek to address this via a consent clause in their contract of employment, although in reality there are normally other grounds on which the majority of HR processing could be based on. Also, due to the nature of the employee/employer relationship (i.e. the clear imbalance of power) it is unlikely that an employee is able to give their employer valid consent, something that has not been lost on the ICO.

The ICO have also emphasised that seeking consent from an individual will be considered misleading and inherently unfair if the personal data would still be processed on a different lawful basis if the consent was refused or withdrawn – as this presents the individual with a false choice. It is worth noting that relying on consent where it is not appropriate or invalid could lead to substantial fines under the GDPR.

Consent is only one of the grounds on which personal data can be processed under the GDPR. In order for a consent to be valid: (i) it needs to be freely given; (ii) the individual must be able to refuse or withdraw their consent (without detriment); and (iii) the individual must have a genuine choice and control over how the data is used.

It is important under GDPR to be clear as to the basis for processing, and GDPR’s enhanced requirements should be prompting HR to understand how data flows through your department, and why this is required. Consent should not be the default option, and in fact will be the exception rather than the rule. Instead, consider if processing is needed:

  • for performance of the employment contract;
  • in order to comply with legal obligations;
  • to protect the vital interests of the employee or of another natural person (including the employee’s dependents or family); and/or
  • due to legitimate interests of the Company (provided that such processing is proportionate to the interests and fundamental rights are freedoms of the employee or data subject).

What does this mean for employers?

  • Clauses in contracts of employment relying on consent should be reviewed and, if being kept, updated to reflect an alternative basis for processing;
  • If you do not already do so you should issue employees and other personnel with a data privacy notice ( we will discuss this in more detail in one of our next GDPR Bitesize updates); and
  • Where consent is needed, in one off situations or where the other grounds do not apply e.g. where an employee authorises earnings details to be sent to their bank for a mortgage application, ensure that it meets the strict requirements under the new regime.