GDPR compliance

We’ve been working through what GDPR will mean for both ourselves and our clients. Here’s a few snippets of information to assist you:

Know your lawful bases – ‘why’ you are holding personal data:

The lawful bases for processing data are set out in Article 6 of the GDPR and shown below. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Likely to apply in marketing, website forms, signing up to a new service etc

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. This is likely to be the reason for processing employee data

© Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). E.g. Right to work in the UK checks, HMRC obligations, court orders etc

(d) Vital interests: the processing is necessary to protect someone’s life. – most likely to refer to the Medical Sector.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. Most likely to refer to the Public Sector, councils, hospitals, prisons etc

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) This could be a direct relationship (i.e. a client or employee), direct marketing (in specific cases i.e. existing clients for existing purposes), commercial interests where there is not an in-balance on the rights of the individual.

When you can rely on employees’ consent to process their data under the GDPR:

The circumstances in which employers can rely on employees’ consent as the legal basis for processing their data are extremely limited.

This is because, for consent to be valid, it must be “freely given”. The imbalance of power in the employment relationship means that this condition will rarely be met where the employer asks an employee for consent to process his or her personal data. Given that employees would be free to withdraw their consent at any time this would make it impractical for employers to use consent as the basis for their processing.

Employers should rely on consent only where no other legal basis for the processing applies (ie it is not necessary for the performance of a contract, compliance with a legal obligation or the employer’s legitimate interests) and there will be no adverse consequences for an employee who refuses to provide consent.

For example, an employer may wish to publish a photograph on its intranet of an employee taking part in an event organised by the employer. This would constitute processing of the employee’s personal data. The employer could ask the employee for his or her consent to publish the photograph on the understanding that, if he or she does not agree to this, the employer will use a different photograph and the employee will not suffer any consequences.

Consent is one of the conditions that an employer can rely on to process special category data such as information about an employee’s health or sexual orientation. However in almost all cases there will be a more appropriate, alternative legal bases.

THINK: What would happen if consent was not given, or was retracted? If this would impose difficulty in the processing then consider whether an alternative legal bases might be more appropriate.

Go back to Services