Insights -

GDPR: why relying on an employee consenting to your processing their personal data is risky

In order to comply with the new GDPR requirements, employers will have to audit the employee personal data they are processing and the legal basis for doing so.  Traditionally, where consent has been obtained to such processing, it has often been in reliance on a standard clause written in ‘legalese’ in a contract of employment that employees are required to sign.  The wording is rarely questioned or discussed. Sound familiar? From 25 May 2018, it is very likely indeed that this practice will be unlawful.

The GDPR requires you to have a lawful basis for processing. The Information Commissioner, the enforcer for data protection issues, has recently published draft guidance advising organisations that once GDPR is in force they should not use employee consent as the basis for processing if there is another lawful basis on which they can rely.

These are:

• Performance of the employment contract

• Compliance with the employer’s legal obligations

• Protection of the employee’s vital interests

• Carrying out public functions

• The legitimate interests of the employer or any third party to whom the employee discloses the personal data, unless the employee’s fundamental rights and freedoms override those interests.

It is likely that the first or second reasons set out above will be applicable for most of the routine processing that takes place. However if consent is required employers will need to ensure that it is:

• specific and informed – prescribed information about the processing should be set out in a Privacy Notice issued to employees which must also inform them of their right to withdraw consent

• freely given – employees must have genuine freedom of choice with no strings attached such as threatened dismissal or other detrimental treatment if consent is refused or withdrawn

• unambiguous – a clear affirmative act

• explicit, for certain types of personal data such as sensitive personal data – so a higher level of consent than unambiguous

What steps should employers be taking?

You should be identifying the personal data you are processing, the purposes for you doing so and the legal basis for each processing purpose and set this out in your Privacy Notice.  Where consent is necessary, it is very likely you will need to obtain fresh consent from your affected employees that is legally compliant as summarised above and appropriately documented. Unlawful processing of personal data can lead to fines against both the employer and those instrumental in the processing.

We will be issuing more blogs on GDPR in the run up to its implementation in future Corporate Insights publications and on our website.

To find out more information regarding your GDPR employment law obligations, please contact Emma McLoughlin on [email protected] 

Alternatively, for queries on marketing and GDPR generally, contact our Corporate and Commercial team on 01737 854 500. 


Although correct at the time of publication, the contents of this newsletter/blog are intended for general information purposes only and shall not be deemed to be, or constitute, legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article. Please contact us for the latest legal position.

Back to listing
Print Share