Part 3: Lawful Processing

In the third of our series on the General Data Protection Regulation (GDPR) and its effects on employers and HR departments, we concentrate on lawful processing under the GDPR and how employers will be affected by the new rules.

What is lawful processing?

When your organisation processes personal data it should only do so where it has a lawful basis; this is a fundamental rule that underpins everything your organisation does with personal data and is key to compliance. Whilst this obligation existed under the Data Protection Act 1998, under the GDPR, the legal bases or conditions, as they are often referred, that your organisation has to meet, have, for the most part, been augmented or changed (but not necessarily all in a negative way!)

There are six legal bases (conditions) for processing data under the GDPR:

  1. Contractual necessity: You need to process someone's personal data to perform a contract you have with them; for example, where you have a contract with an individual to supply goods or services.
  2. Legal obligation: Where you need to process an individual's data because your organisation has to comply with a legal obligation under UK or EU law.
  3. Protect life: necessary to protect someone's life.
  4. Official function: You need to process data in order to carry out an official function or task which is in the public interest and you have a basis for proceeding under UK law. In most cases it will apply to public bodies.
  5. Legitimate interest: Where you are a private-sector organisation without consent, and you have a genuine and legitimate interest (which includes commercial benefit), so long as this is not outweighed by harm to an individual's rights (the "legitimate interest" basis). Please note: legitimate interests will no longer apply to Public Bodies.
  6. Consent: The data subject has consented to the data processing.

No one condition is better than or more important than the other; however one condition may be more appropriate over another depending on the circumstances. This is particularly relevant in the case of the last condition in this list for data processing; that of consent. Consent was a lawful basis for processing under the DPA and remains so under the GDPR, however it has been changed significantly and now includes additional requirements which will mean that the debate on whether employers could, or rather should, use consent as its legal basis is brought to an end. Employers will find it very difficult to rely on this basis to process employee data from 2018.

Time to move away from consent?

Employers and HR teams have relied on consent to process data in many cases despite there being dubiety as to whether consent was a lawful basis in the context of the employment relationship; however after the introduction of the GDPR on 25 May 2018, employers will, in most cases, be required to find an alternative basis for lawful processing of employee data.


Consent must be:

  • freely given and unambiguous; and
  • as easy to withdraw as it was to give.

In addition:

  • in order to be considered to be freely given, "consent should not provide a valid ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller" (i.e. the employee / employer relationship);
  • the request for consent must be clearly distinguishable from the other matters in a contract; and
  • where the contract requires a data subject to consent to the processing of their personal data where the consent is not necessary for the performance of the contract it is likely that the consent will be invalid.

So in the employment scenario, most template employment contracts have pretty much standard data protection consent clauses bundled up in the employment contract itself, that presents a couple of issues – how does an employee withdraw their consent to the processing in that context? With great difficulty; and realistically how freely given was it? Did your employee really have a choice? Arguably, no.

And was the consent really necessary for the processing of the contract in the first place? In many cases the answer is no as there was an alternative valid legal basis for processing.

It is likely that employers and HR teams will (and should) rely on a number of other valid conditions for legitimate processing, these will be:

  • legitimate interests of the business (with the exception of public authorities);
  • contractual necessity (for example: processing for the purposes of paying your employees); and
  • necessary for the compliance with a legal obligation (for example: having to process tax return details with the tax office).

Each of these conditions is narrowly construed and careful consideration will need to be made as to which is appropriate to each circumstance.

What should you be doing?

  • You should review your policies and practices including employment contracts to ensure they are GDPR compliant.
  • Organisations should be transparent about the nature of data processing in terms of the data used, the purposes for which the data is used and where it is processed.
  • Where consent is relied on for data processing, find an alternative and record this.
  • Identify employees who will require training on data protection.
  • Read our blogs and contact our team if you have any questions!

Read our previous blogs in this series:

Part 1: Overview of the new rules
Part 2: Employee rights under the GDPR

© MacRoberts 2017


The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.