Lawful processing

In the third instalment of our series on data protection rules and their effects on employers and HR departments, we look at lawful processing under data protection legislation and how employers are affected by the new rules.

What is lawful processing?

When your organisation processes personal data, it should only do so where it has a lawful basis – this is a fundamental rule that underpins everything your organisation does with personal data and is key to compliance. Under data protection legislation, the legal bases or conditions (to which they are often referred) that your organisation must meet have, for the most part, been augmented or changed (but not necessarily all in a negative way!).

There are six legal bases (conditions) for processing data:

  1. Contractual necessity: You need to process someone’s personal data to perform a contract you have with them, for example, where you have a contract with an individual to supply goods or services.
  2. Legal obligation: Where you need to process an individual’s data because your organisation has to comply with a legal obligation under UK or EU law.
  3. Protect life: Necessary to protect someone’s life.
  4. Official function: You need to process data in order to carry out an official function or task which is in the public interest and you have a basis for proceeding under UK law. In most cases, it will apply to public bodies.
  5. Legitimate interest: Where you are a private sector organisation without consent, and you have a genuine and legitimate interest (which includes commercial benefit), so long as this is not outweighed by harm to an individual’s rights (the “legitimate interest” basis). Please note: legitimate interests will no longer apply to public bodies.
  6. Consent: The data subject has consented to the data processing.

No one condition is better than or more important than another; however, one condition may be more appropriate over another depending on the circumstances. This is particularly relevant in the case of the last condition in this list for data processing – that of consent. Consent was a lawful basis for processing under the Data Protection Act 1998 and remains so under the GDPR and Data Protection Act 2018. However, it has been changed significantly and now includes additional requirements which will mean that the debate as to whether employers could, or rather should, use consent as its legal basis is brought to an end and employers may now find it very difficult to rely on this basis to process employee data.

Time to move away from consent?

Employers and HR teams have relied on consent to process data in many cases, despite there being dubiety as to whether consent was a lawful basis in the context of the employment relationship. However, following the introduction of the GDPR on 25 May 2018, employers are required to find an alternative basis for lawful processing of employee data.


Consent must be:

  • freely given and unambiguous; and
  • as easy to withdraw as it was to give.

In addition:

  • in order to be considered to be freely given, “consent should not provide a valid ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller” (i.e. the employee / employer relationship);
  • the request for consent must be clearly distinguishable from the other matters in a contract; and
  • where the contract requires a data subject to consent to the processing of their personal data where the consent is not necessary for the performance of the contract it is likely that the consent will be invalid.

So in the employment scenario, most template employment contracts have pretty much standard data protection consent clauses bundled up in the employment contract itself. That presents a couple of issues – how does an employee withdraw their consent to the processing in that context? With great difficulty – and, realistically, how freely was it given? Did your employee really have a choice? Arguably, no.

And was the consent really necessary for the processing of the contract in the first place? In many cases, the answer is no as there was an alternative valid legal basis for processing. Where employers have existing consent from employees to process their personal data, the ICO guidance is that they do not need to obtain fresh consent. However, if organisations are unable to demonstrate they have obtained consent which is compliant under the current data protection legislation and that such consent was freely given, and given in the manner expressed above, they will be required to obtain fresh express consent from employees. Thus, consent is proving to be a tricky basis upon which to rely, and the general consensus is that it should not be relied upon unless absolutely necessary and in circumstances where no other basis can be relied upon.

It is likely that employers and HR teams will (and should) rely on a number of other valid conditions for legitimate processing, these will be:

  • legitimate interests of the business (with the exception of public authorities);
  • contractual necessity (for example, processing for the purposes of paying your employees); and
  • necessary for the compliance with a legal obligation (for example: having to process tax return details with the tax office).

Each of these conditions is narrowly construed and careful consideration will need to be taken as to which is appropriate to each circumstance.

What should you be doing?
  • You should review your policies and practices including employment contracts to ensure they are compliant with the current Data Protection framework.
  • Organisations should be transparent about the nature of data processing in terms of the data used, the purposes for which the data is used and where it is processed.
  • Where consent is relied on for data processing, find an alternative and record this.
  • Identify employees who will require training on data protection.
  • Read our blogs and attend our upcoming data protection workshops.
Read more

Part 1: Overview of the new rules

Part 2: Employee rights under data protection