Why HR professionals need to get consent right first time

28th February 2018Close up image of a man holding a pen towards a piece of paper.

If you have begun aligning your company procedures to the new GDPR Regulation due to come in force in May (and if you haven’t, we urge you to do this urgently), you will be aware that you must have a valid lawful basis in order to process data – and this includes the data your hold about your employees.

There is a hidden trap here.

You may be operating under the assumption that you have the employees’ consent to process their data, therefore ‘everything is ok’.  That would be the wrong assumption.   All they would need to do is withdraw their consent and that would potentially leave you in trouble.

What you need to know:

First and foremost, you must always have a valid lawful reason for processing personal data.  Within the GDPR legislation these are referred to as the ‘lawful bases’ for processing.  There are six of them.  No one basis is any ‘better’ than another – what is important is that you chose the right one FIRST TIME.

You must determine your lawful basis before you begin processing, and you should document it.  Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason. 

The six legal bases for processing personal data

These are set out clearly in Article 6 of the GDPR.  At least one of these must apply whenever you process personal data.  You should determine which one you are going to use and record and communicate this before May 25th 2018 or before you start processing any personal data, whichever comes sooner.  So if you are already processing employee data, which you very likely are, we recommend you get this documented and communicated now.

At least one of these must apply: (Source www.ico.org.uk):

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

So which one do you choose?

It is important that you decide and document up front which of these bases you are going to use (it could be more than one).  Switching at a later date is deemed by the ICO to be ‘inherently unfair to the individual and lead to breaches of accountability and transparency requirements’.

From a human resources point of view, a lot of companies are using CONSENT as the legal basis to process employee data.  Are you?   Be aware – this is the wrong condition.

What you should be relying upon (and therefore documenting), is that you are processing the employees’ personal data under the basis of LEGAL OBLIGATIONS and employment law.

However, unfortunately it is not quite as simple as that.  You have to think a little harder about how you are processing the data, what you are doing with it and what you are trying to achieve.

For example, wanting to use an employee’s photos on your website or social media, that element DOES REQUIRE CONSENT as it would not covered by legal obligations.

Our recommendation is that you should review your employment contracts to ensure you are relying on legal obligations for general processing, but that you have gained, documented and communicated that you are relying on consent for other ‘voluntary’ processing which an individual might object to.

At Griffin House Consultancy, we are here to provide you with all the training and knowledge your company needs to comply with GDPR, and future-proof you against forthcoming changes. If you would like more information on how to protect your business please contact us on 01673 885533 or email [email protected].

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details










    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.