• news-banner

    Expert Insights

Processing employee data under the GDPR

The new EU Data Protection Regulation (GDPR) will take effect in the UK from 25 May. Key changes include a wider definition of personal data, a “right to be forgotten” in some circumstances, tighter rules on the issue of consent and significant fines of 4% of worldwide turnover, or 20 million Euros (whichever is the greater). With potential penalties at such a high level this is not something that any organisation can afford to ignore.

In a series of Insights we will look at some of the key areas for HR, focusing here on the legal basis that employers can seek to rely on when processing employee data, and the difficulties that may arise.

The legal basis for processing

One of the principles underpinning the GDPR is that personal data must be “processed lawfully, fairly and in a transparent manner in relation to individuals”.  To meet this, it is essential that organisations consider why they are processing the data and what lawful basis they can rely on.  In the employment context, the potential bases are likely to be:

  • that the data subject has given consent
  • processing is necessary for the performance of the employment contract
  • processing is necessary for compliance with a legal obligation to which the controller is subject
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Of these options, consent may appear the obvious choice for employers, but there are some difficulties with this in the employment context, which we look at below.

Consent – the problems and the pitfalls

Historically, many organisations have relied on general consent clauses contained in employment contracts as the basis for processing employee data. The Information Commissioners Office (ICO) have always thought this to be problematic as an employee entering into an employment contract is rarely on an equal footing with the employer, and so has no real choice, meaning the consent is not freely given.

Under the GDPR things get even trickier. There is a new, tighter, definition of consent, which is: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. There is also a requirement that it must be as easy to withdraw the consent as it was to give it and that employees be notified of this right, meaning that any existing consents are unlikely to meet these requirements.

The ICO has indicated in draft guidance that freely given consent in the employment context will be difficult to establish as an employer is in a position of power. The guidance states that where there is an imbalance of power, there is a lack of real choice for the employee and as such “it follows that if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be the appropriate basis for processing”.

Some organisations may think that the answer is to get consent, but then rely on another basis if the “consent” is successfully challenged, but the ICO have made clear they intend to discourage this type of behaviour. The draft guidance states that if you would still process the data on a different basis even if consent were refused, or withdrawn then seeking consent in the first place is “misleading and inherently unfair” as it presents the individual with a false choice and only the “illusion” of control and may lead to an employer being sanctioned. You need to identify the most appropriate lawful basis from the start.

So, what will be the most appropriate lawful basis?

In the case of ordinary personal data, it seems likely that an employer will be able to rely on the processing being necessary for the performance of the employment contract. This would enable processing of data for day to day activities such as payroll, benefits and certain disciplinary issues.  For processing outside of the everyday, specific consent will be required, and this can be withdrawn at any time.

There are additional hurdles in relation to “special categories of personal data” which is a similar, but slightly broader, version of what is currently known as “sensitive personal data”. This will cover information relating to employees’ racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information and data relating to sex life and sexual orientation.

Some of this can be processed on the basis that it is necessary for carrying out obligations in the employment field, so would cover, for example, processing health information to comply with disability discrimination obligations and to administer sickness benefits. For other things, specific consent will be needed on a one off basis. The consent needs to be in a separate document, clear as to what processing is taking place and must also include information about withdrawing consent at any time. Consent will need to be obtained on each occasion processing takes place.

What should employers do?

Employers should be reviewing their current policies in relation to processing. For those employers relying on general consents contained in the employment contract to process ordinary personal data, a new approach will be needed. One of the other lawful bases should be relied on – most commonly this is likely to be that the processing is necessary for the performance of the contract.

Where consent is required, ensure that this is contained in a separate, clear document and that the right to withdraw that consent is clear.

Our thinking

  • Mastering Claims Against Estates: A Guide to Debt Enforcement in Switzerland

    Remo Wagner

    Quick Reads

  • The new UK-India Free Trade Agreement – a significant development for both nations

    Kim Lalli

    Quick Reads

  • Token2049 week - what's on the horizon?

    Racheal Muldoon

    Quick Reads

  • Rebecca Steer writes for Artificial Lawyer on GenAI, copyright and the future of innovation

    Rebecca Steer

    In the Press

  • Computing quotes Gareth Mills on a major antitrust case involving Google

    Gareth Mills

    In the Press

  • Charles Russell Speechlys advises long standing client Puma Growth Partners on its investment in LOVE CORN

    Ashwin Pillay

    News

  • Global Insight quotes Shirley Fu, Tom Wong and Victoria Younghusband on trends in corporate activity in China

    Shirley Fu

    In the Press

  • PRC amends its AML Law to regulate specific non-financial institutions

    Shirley Fu

    Insights

  • New Government guidance for businesses on section 54 statements under the Modern Slavery Act

    Kerry Stares

    Insights

  • Buyouts Insider quotes Darren Bailey on private equity's increasing interest in sports

    Darren Bailey

    In the Press

  • Government received 11,500 responses to AI and Copyright Consultation

    Rebecca Steer

    Quick Reads

  • City AM quotes Darren Bailey on the compliance of NBA Europe's format and salary cap with EU law

    Darren Bailey

    In the Press

  • Dubai free zone companies can now access mainland

    Mo Nawash

    Quick Reads

  • Data protection in the UK: Charities anticipate green light to rely on direct marketing exemption

    Courtney Benard

    Quick Reads

  • UK Government’s Consultation on Copyright and AI: What’s Next for AI Developers and Creators?

    Rebecca Steer

    Insights

  • Charles Russell Speechlys ‘Client Conversations’ features Giles Pocock – VP of Brand and Marketing at Bowers & Wilkins

    Simon Ridpath

    News

  • Corporate Transparency Act: I’m still alive but I’m barely breathin’

    Timmoney Ng

    Quick Reads

  • Guide to launching online consumer brands in the UK – 10 essential steps

    Rebecca Steer

    Insights

  • Retail Week quotes Ilona Bateson on the strengths of the Fast Retailing and Uniqlo brands

    Ilona Bateson

    In the Press

  • Insights for companies from recent ISSB publications on materiality and voluntary application of the ISSB Standards

    Kerry Stares

    Insights

Back to top