Back to overview

Commercial Question

The challenge of staff ‘consent’ under the GDPR

updated on 17 April 2018


Will employers find it harder to rely on consent to process their employees’ personal data when the new law comes into force?


When the General Data Protection Regulation (GDPR) is implemented in May 2018, consent for the processing of personal data will have to be freely given, specific, informed and revocable. The GDPR expressly states that, where there is an imbalance of power between the party giving consent and the party receiving it, consent will not be valid. In an employment context, it has long been acknowledged that there is such an imbalance between employer and employee. This means it will be difficult for employers to rely on consent to process employees’ personal data under the GDPR – so they will need to look to alternative legal options for each category of personal data.

The legal grounds for processing some categories of personal data will remain straightforward. For example, employers have to process employees’ bank account data to pay their salaries and their sickness absence data to enable statutory sick pay. There are other legal obligations, such as the ‘vital interests’ of the employee, which employers can use to legitimise processing further categories of personal data.

Legitimate interests

However, most commercial employers are likely to turn to ‘legitimate interests’; that is, that their legitimate interests in processing employees’ personal data outweigh the general privacy rights of employees.

But there are limits on how far employers can legitimately extend their interests. In particular, as well as being strictly necessary for a legitimate purpose, processing under this legal basis must also comply with the principles of proportionality and subsidiarity.

The Article 29 Working Party’s recent Opinion 2/2017 provides helpful examples of the likely limits of legitimate interests as a legal basis. For example, if an employer uses a data loss prevention tool to monitor employees’ outgoing emails automatically to prevent unauthorised transmission of proprietary data, to rely on legitimate interests it will need to ensure the system’s rules are fully transparent to employees; they must also be warned in advance if the tool recognises an email to be sent as a possible data breach, giving the sender the option to cancel it.

Compliance tips

So what steps should employers take to comply with the GDPR? First, organisations need to review their template employee documentation such as employment contracts and any freestanding employee data-processing consents.

For new hires, companies should replace the consent language in these documents with new language referencing one or more of the alternative legal bases referred to above. For existing employees, companies will need to roll out employee data processing notices that refer to these alternative legal bases.

Finally, employers should be aware that their choice of legal basis may also affect their employees’ rights and the organisation’s obligations to them. Under the GDPR, employees’ rights regarding their personal data are expanded and strengthened; for example, there are new rights to data portability and to be forgotten. However, the former right only applies to data processed by consent and the latter right only applies, among other things, when consent is withdrawn.

Accordingly, by relying on the ‘legitimate interests’ legal basis, an employer can reduce its compliance obligations vis-à-vis its employees – every cloud does in fact have a silver lining.

In summary, it is likely that employers will turn to legitimate interests to process employee data under the GDPR. To ensure such processing is valid, employers will need to conduct proportionality tests to establish that:

  • all personal data collected is necessary;
  • the processing outweighs the general privacy rights that employees have in the workplace; and
  • measures have been taken to ensure that infringements of employees’ right to private life and secrecy of communications are limited to the minimum necessary.

Ann Bevitt is an employment and data privacy partner at Cooley.