Until now, most employers have relied upon their employees' consent in order to process their personal data. But, under the GDPR, the requirements for consent will be much stricter. Particularly in the employment context, where it is generally accepted that the imbalance of power between the employer and employee is likely to invalidate any consent given by the employee.

Nevertheless, all is not lost. Consent is only one of a number of potential legal bases for processing employees' data. Employers will therefore need to consider whether any of the available alternatives are appropriate for their processing requirements.

In this context, employers may turn increasingly to "legitimate interests" as a lawful basis for processing. The legitimate interests ground is potentially wide in scope and flexible but, as the Information Commissioner's Office (ICO) warns in its latest guidance, employers should not assume it will be appropriate in all cases. Essentially, a proportionality assessment is required.

The ICO guidance requires employers to apply a three stage test:

  1. Purpose test: identity the legitimate interest;
  2. Necessity test: assess whether the processing is necessary to achieve that interest; and
  3. Balancing test: balance the legitimate interest against the individual's interests, rights and freedoms.

Where an employer can reasonably achieve the same result in a less intrusive way the legitimate interests basis for processing will not apply.

The ICO guidance refers to the process of considering – and documenting – the analysis under the three stage test as an "LIA" (legitimate interests assessment). An LIA is intended to be a "type of light-touch risk assessment". Although not a mandatory requirement under the GDPR, the ICO's view is that carrying out an LIA will help the employer to ensure its processing satisfies the three stage test above and is therefore lawful. In addition, an LIA may also assist in demonstrating GDPR compliance generally in line with the broader accountability obligations.

Carrying out an initial LIA is not the end of the story however: LIAs should be kept under review and re-considered if there is a significant change in the purpose, nature or context of the processing. In addition, in more complex or intrusive cases or where an LIA identifies any significant risks, a full in depth DPIA (data protection impact assessment) may still be required. There will inevitably be grey areas, and whether or not the new LIA provides for a genuinely "light touch" or simply adds yet another stage to the process remains to be seen.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.