< Back

Share |

Lawful processing of HR data under the GDPR

March 2017

Under the GDPR, personal data must be processed in accordance with certain principles. While these are broadly similar to those under the Data Protection Directive (DPD), the wording has changed and they all centre around the concept of accountability. For HR teams, traditional justifications for lawful processing of employee data may have to be revisited together with the way in which the data is collected, used and retained.

The data protection principles

Lawfulness, fairness and transparency

The GDPR requires that the data controller provide the data subject with information about his/her personal data processing in a concise, transparent and intelligible manner, which is easily accessible, distinct from other undertakings between the controller and the data subject, using clear and plain language.

For employers, transparency is achieved by keeping the employee or prospective employee informed and this should be done before data is collected and where any subsequent changes are made. It is important to remember that data is not always collected directly from individuals but may be derived from other data sets, observed by tracking or inferred using algorithms. The GDPR has a mandatory list of the information which must be given to individuals where data is obtained directly from them but also where it is obtained indirectly.

Giving an employee or candidate a genuine choice about data processing in order to rely on consent is going to be an issue for employers in achieving lawful processing (see below).

Purpose limitation

Processing personal data is only permissible if and to the extent that it is compliant with the original purpose for which data was collected. Processing “for another purpose” later on requires further legal permission or consent. The only exception to this requirement is where the “other purpose” is “compatible” with the original purpose. Indications for this will be any link with the original purpose, the context in which the personal data has been collected, the nature of the personal data, the possible consequences of the intended further processing for data subjects or the existence of appropriate safeguards.

Data minimisation

Data controllers must ensure that only personal data which is necessary for each specific purpose is processed (in terms of the amount of personal data collected, the extent of the processing, the period of storage and accessibility). Under the GDPR, data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed". This links back to the purpose limitation. Employers need to make sure that they collect enough data to achieve their purpose but not more than needed.


Personal data must be accurate and kept up to date – this will be familiar from the DPD. Inaccurate or outdated data should be deleted or amended and data controllers are required to take "every reasonable step" to comply with this principle.

Storage limitation

Once you no longer need personal data for the purpose for which it was collected, you should delete it unless you have other grounds for retaining it. This means there should be a regular review process in place and methodical cleansing of HR databases.

Integrity and confidentiality

Under the GDPR, like the DPD, personal data must be protected against unauthorised access using appropriate organisational and technical measures. This goes to the heart of protecting the privacy of individuals. Data controllers and processors need to assess risk, implement appropriate security for the data concerned and, crucially, check on a regular basis that it is up to date and working effectively. There are strict breach reporting provisions in the GDPR. High profile data breaches can cause significant embarrassment and expense for businesses. TalkTalk was recently fined a record £400,000 for failing to keep data secure and this amount will look paltry once the new sanctions under the GDPR apply, under which fines for data breaches will be up to 2% of annual global turnover or 10m Euros, whichever is higher.


The final principle under the GDPR states that data controllers must be able to demonstrate compliance with the other principles. This is a short sentence with major implications. One of the notable changes under the GDPR compared with the DPD, is the increased compliance burden (see our article for more), much of which is sparked by the accountability principle. It is not enough to comply, you have to be seen to be complying. The range of processes that employers have to put in place to demonstrate compliance will vary depending on the complexity of the processing but may include:

  • assessing current practice and developing a data privacy governance structure which may include appointing a Data Protection Officer;
  • creating a personal data inventory;
  • implementing appropriate privacy notices;
  • obtaining appropriate consents (although see below);
  • using appropriate organisational and technical measures to ensure compliance with the data protection principles;
  • using Privacy Impact Assessments; and
  • creating a breach reporting mechanism.

Lawful processing

Consent – no longer an option for HR data?

One of the commonly relied on grounds for lawful processing of HR personal data under the DPD is that it is done with employee consent. Under the GDPR, consent must be "freely give, specific, informed and unambiguous". Given the imbalance of power between employees and employers, it will be difficult for consent to be freely given which means it is unlikely to provide a valid basis for processing HR data.

The GDPR explicitly states that account must be taken of whether the entering into of the contract is made conditional on the consent to the data processing where it is not necessary to performance of a contract (see below). In addition, in recently published draft guidance on consent, the UK's ICO has said: "It follows that if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing. This may be the case if, for example, you are in a position of power over the individual – for example if you are a public authority or an employer processing employee data".

While it is possible to envision situations in which an employee does have a genuine choice (and is able to withdraw consent) concerning some of the data processed about them, these are likely to be extremely limited and employers should be very careful about relying on consent in order to legitimise the processing of HR data. A term in a standard employment contract will certainly be insufficient and will no longer provide a 'fall back' justification for processing HR data. Employers should also note that where consent is used as the basis for lawful processing, the data subject has the right to have their data erased under the new 'right to be forgotten' unless there are other legal grounds to justify the processing. Other circumstances in which an employee can request deletion of data include where it is no longer necessary for the purpose for which it was collected. Employers should, therefore, look to other grounds for lawful processing in order to justify the processing of HR data. As the ICO's draft guidance states: "If you are processing employee data... you should look for another basis for processing such as….'legitimate interests'".

Having said that, this guidance is still in draft form and will not be binding, and we are yet to hear from other EU regulators (or the Article 29 Working Party) on the subject of consent. Businesses located or with offices in other Member States will need to keep an eye out for local developments. For example, Germany is currently discussing a general written form requirement for employee consents which would further raise the bar for national operations and would certainly make multi-national concepts even more challenging but in doing so, seems to take a more positive view of the possibility of valid consent in an employer/employee relationship.

In terms of special (formerly sensitive) personal data, any consent to processing has to be "explicit". This is not a defined term in the GDPR (although the ICO's guidance suggests this means 'in words') but in the context of HR data, valid explicit consent is going to be very difficult to obtain and employers will most likely need to rely on the derogation in the GDPR under Article 9 (2)(b) which relates to the processing of special data in an employment context.

For more on consent, see our article.

Legitimate interests

Another frequently relied on basis for lawful processing of HR data is that it is in the legitimate interests of the business to do so. Under the GDPR, processing will be lawful where it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child".

Until recently, the equivalent provision in the DPD was heavily relied on by employers to justify data processing but recent case law from the Court of Justice of the European Union has made it clear that you cannot simply argue that you have satisfied the 'legitimate interests' test because it is in your economic interests to process the data. However, in the ICO's draft guidance, commercial benefit can be sufficient to count as legitimate unless this is outweighed by harm to the individual's rights and interests. The ICO cautions that part of ensuring this will involve being "fair, transparent and accountable". So, for example, there may be a legitimate interest in monitoring employees but in order to help ensure that the employer's interests are not outweighed by the rights of the employees, there must be full transparency about what monitoring takes place and for what purposes together with appropriate safeguards.

Necessary for performance of a contract or to comply with a legal obligation

Processing will also be lawful where it is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the data subject's request prior to entering into a contract (which includes employment contracts), and where it is necessary in order to comply with a legal obligation. These grounds are helpful to employers but they should remember that the purpose limitation and data minimisation principles will apply and may have a bearing on how much data may be collected and what it can be used for.

Will all Member States approach employment data in the same way?

Although the GDPR provides for a more uniform approach to ensuring data protection compliance across Europe, there are, of course, permitted derogations. One such example, is article 88 of the GDPR which allows for Member States by operation of law or collective agreements, to provide more specific rules to safeguard the "processing of employees' personal data within the employment context". The Article further sets out that this may be in relation to data processed for a variety of purposes in the employment cycle from recruitment to health and safety at work. The extent to which Member States choose to exercise these derogated powers to reflect their current practices or to strengthen protection around employee personal data remains to be seen. Member States must tell the Commission if they plan to take up this offer by 25 May 2018, so the clock is ticking...

So what does this mean in practice?

Employee consent to the processing of their personal data is unlikely to be held to be valid under the GDPR. Employers should begin looking now at the grounds on which they have processed HR data to date and consider whether those need to change under the GDPR. The most likely ground for lawful processing of HR data will be that it is in the legitimate interests of the employer to do so. In order to ensure that the rights of employees are not unfairly compromised, there must be full and transparent disclosure of what data processing is taking place and for what purposes.

While identifying an alternative lawful ground for processing is unlikely to be difficult in the employment context, the purpose limitation and data minimisation principle may restrict the range of employee data which can be collected and what that data can be used for. Employers will need to give thought to each separate category of employee data they process and record the grounds for lawful processing upon which they rely in each case.

Pseudonymisation: a way out for HR teams?

The GDPR introduces a new concept of "pseudonymisation", meaning the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual, without additional information.

Pseudonymous data will still be treated as personal data, but may potentially be subject to fewer restrictions on processing if the risk of harm is low. It requires that the "key" necessary to identify data subjects from the coded data is kept separately, and is subject to technical and organisational security measures to prevent inadvertent "re-identification" of individuals or personal data within the data set.

Currently, the practice around pseudonymisation is varied across EU States, which is unhelpful for multi-national employers. EU-wide guidelines to add detail to the GDPR provision are expected which should help employers navigate this area, and employers should keep these practices under review.

What should employers be doing?

These changes are wide ranging and have implications for the structure and processes of a business. The new regime is complex and HR teams are advised to undertake careful review and planning ahead of implementation of the new regime in May 2018. They should:

  • review current data protection policies and practices including existing employment contracts, staff handbooks and employee policies. Ensure there is full transparency over the nature of HR data processing in terms of the data used, the purposes for which it is used and where it is processed;
  • where consent has been relied on to justify processing of HR data, consider an alternative and make sure this is recorded;
  • consider the geographical span of the business – note also certain EU Member States have indicated that they are considering putting in place more stringent requirements than those set out under the GDPR (although this does not currently include the UK);
  • assess business needs and identify employees who will require early training on the new reforms, with a view to rolling out revised data protection training for all employees nearer to the date of implementation; and
  • appoint someone within the organisation to oversee compliance with the reforms.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Processing of HR data under the GDPR
Debbie Heywood

Debbie Heywood      

Debbie looks at the data protection principles and the justifications for processing HR data under the GDPR.

"Under the GDPR, it is unlikely that consent will be a valid basis for processing HR data... Employers should look to other grounds for lawful processing."