With its ‘going live’ date of 25 May just around the corner, GDPR is still on our minds.

One issue which comes up again and again is the question of consent, with plenty of myths and misapprehensions about whether it will be needed for the processing of personal data.

Elizabeth Denham, the Information Commissioner, has published a number of “myth-busting” blogs. One of these blogs deals with the thorny issue of consent: “consent is one way to comply with the GDPR, but it’s not the only way”.

Under GDPR, in order to process personal data, organisations must identify a lawful basis for processing. Explicit consent is one basis, but there are a number of others. The key bases for processing which are most likely to be used in HR are where it’s necessary:

  • to comply with the law (such as obligations to HMRC);
  • for compliance with a contract (for example paying employees under their contract of employment)
  • for the employer’s legitimate interests (or those of a third party), unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Consent clearly has its place, but in the majority of cases, it will be more appropriate to rely on one of the other lawful bases, not least because consent can be withdrawn by the employee at any time. As such, if you can rely on a different lawful basis, it makes sense to do so.

Find out more in The Information Commissioner’s blog.


Please get in touch if you would like to discuss any issues.