GDPR: What do employers and HR teams need to know? (Part 3)

Lawful processing

MacRoberts is running a series of interactive workshops on the practicalities of data protection compliance within the employment relationship. Please click here to find out more and register.

In the third instalment of our series on data protection rules and their effects on employers and HR departments, we look at lawful processing under data protection legislation and how employers are affected by the new rules.

What is lawful processing?

When your organisation processes personal data, it should only do so where it has a lawful basis – this is a fundamental rule that underpins everything your organisation does with personal data and is key to compliance. Under data protection legislation, the legal bases or conditions (to which they are often referred) that your organisation must meet have, for the most part, been augmented or changed (but not necessarily all in a negative way!).

There are six legal bases (conditions) for processing data:

  1. Contractual necessity: You need to process someone’s personal data to perform a contract you have with them, for example, where you have a contract with an individual to supply goods or services.
  2. Legal obligation: Where you need to process an individual’s data because your organisation has to comply with a legal obligation under UK or EU law.
  3. Protect life: Necessary to protect someone’s life.
  4. Official function: You need to process data in order to carry out an official function or task which is in the public interest and you have a basis for proceeding under UK law. In most cases, it will apply to public bodies.
  5. Legitimate interest: Where you are a private sector organisation without consent, and you have a genuine and legitimate interest (which includes commercial benefit), so long as this is not outweighed by harm to an individual’s rights (the “legitimate interest” basis). Please note: legitimate interests will no longer apply to public bodies.
  6. Consent: The data subject has consented to the data processing.

No one condition is better than or more important than another; however, one condition may be more appropriate over another depending on the circumstances. This is particularly relevant in the case of the last condition in this list for data processing that of consent. Consent was a lawful basis for processing under the Data Protection Act 1998 and remains so under the GDPR and Data Protection Act 2018. However, it has been changed significantly and now includes additional requirements which will mean that the debate as to whether employers could, or rather should, use consent as its legal basis is brought to an end and employers may now find it very difficult to rely on this basis to process employee data.

Time to move away from consent?

Employers and HR teams have relied on consent to process data in many cases, despite there being dubiety as to whether consent was a lawful basis in the context of the employment relationship. However, following the introduction of the GDPR on 25 May 2018, employers are required to find an alternative basis for lawful processing of employee data.


Consent must be:

  • freely given and unambiguous; and
  • as easy to withdraw as it was to give.

In addition:

  • in order to be considered to be freely given, “consent should not provide a valid ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller” (i.e. the employee / employer relationship);
  • the request for consent must be clearly distinguishable from the other matters in a contract; and
  • where the contract requires a data subject to consent to the processing of their personal data where the consent is not necessary for the performance of the contract it is likely that the consent will be invalid.

So in the employment scenario, most template employment contracts have pretty much standard data protection consent clauses bundled up in the employment contract itself. That presents a couple of issues – how does an employee withdraw their consent to the processing in that context? With great difficulty  and, realistically, how freely was it given? Did your employee really have a choice? Arguably, no.

And was the consent really necessary for the processing of the contract in the first place? In many cases, the answer is no as there was an alternative valid legal basis for processing. Where employers have existing consent from employees to process their personal data, the ICO guidance is that they do not need to obtain fresh consent. However, if organisations are unable to demonstrate they have obtained consent which is compliant under the current data protection legislation and that such consent was freely given, and given in the manner expressed above, they will be required to obtain fresh express consent from employees. Thus, consent is proving to be a tricky basis upon which to rely, and the general consensus is that it should not be relied upon unless absolutely necessary and in circumstances where no other basis can be relied upon.

It is likely that employers and HR teams will (and should) rely on a number of other valid conditions for legitimate processing, these will be:

  • legitimate interests of the business (with the exception of public authorities);
  • contractual necessity (for example, processing for the purposes of paying your employees); and
  • necessary for the compliance with a legal obligation (for example: having to process tax return details with the tax office).

Each of these conditions is narrowly construed and careful consideration will need to be taken as to which is appropriate to each circumstance.

What should you be doing?
  • You should review your policies and practices including employment contracts to ensure they are compliant with the current Data Protection framework.
  • Organisations should be transparent about the nature of data processing in terms of the data used, the purposes for which the data is used and where it is processed.
  • Where consent is relied on for data processing, find an alternative and record this.
  • Identify employees who will require training on data protection.
  • Read our blogs and attend our upcoming data protection workshops.

This article was co-authored by Megan Lukins.

Read more

Part 1: Overview of the new rules

Part 2: Employee rights under data protection


Latest updates from @MacRoberts

  • Huge congratulations to Rebecca Cox in our Corporate Finance team who has been shortlisted for the Rising Star of t… 1 hour ago
  • MacRoberts is delighted to be shortlisted at this year’s Scottish Legal Awards! We're up for Firm of the Year & t… 20 hours ago
  • Have you and your partner been considering moving in together? Are you aware of the legal implications that this ma… 29/07/2021
  • Following a consultation in 2019, the UK Government has outlined its intention to introduce a mandatory duty on emp… 29/07/2021
  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… 27/07/2021
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… 14/07/2021