You now have a data register and have started to work through some questions. You also need to decide what the legal basis is for you to keep the data.  You have to have a legal basis under GDPR and record this (and tell employees what it is).

Under GDPR there are a number of legal justifications as follows:

1.   The employee has given their consent to the processing of their data for one or more specific purposes.

2.   It is necessary for entering or performing a contract with the employee.

3.   It is necessary for compliance with a legal obligation to which the employer is subject.

4.   It is necessary to protect the vital interests of the employee.

5.    It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the employer.

6.   It is necessary for the purposes of legitimate interests pursued by the employer or by a third party, except where these interests are overridden by the interests or the fundamental rights and freedoms of the employee.

You can see by looking through these that some will be obvious. You need personal contact details to be able to enter into a contract of employment with an employee.  You need NI and bank details for Payroll and HMRC purposes.

A word on consent

Under the Data protection Act we all relied on consent to process employee data. In most contracts of employment there is/was a ‘data protection’ clause that confirms that an employee is giving their consent – so can you just continue to do the same under GDPR?

Simply put. No!

Firstly, if you do use consent it needs to be clear and will require a positive opt-in.  You cannot rely on implied consent and can no longer just include a general clause in the contract of employment to cover consent!

But the real problem with consent is that employees have the right to withdraw their consent. So just think what might happen if you are relying on consent in some areas. For example, if you rely on consent to keep bank details and consent is withdrawn, how will you pay someone?

Where possible we would recommend you find a legitimate basis other than consent.

Consent may be appropriate for things like e.g. using a photo of employees on your Company website (meet the team!).

Special Category Data

There are also special categories of data that require a further legal basis. If you have put together your data register you should know if you keep any of these.

Special category data is personal data which the GDPR says is more sensitive and so needs more protection. In order to lawfully process special category data, you must identify both a lawful basis under Article 6 (above) and a separate condition for processing special category data under Article 9 (see below). These do not have to be linked.

The categories of special data include:

  • race
  • ethnic origin
  • politics
  • religioN
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life or
  • sexual orientation

The additional lawful basis for special data is as follows:

  • The data subject has given explicit consent for the processing of this data
  • It is necessary for carrying out rights and obligations under employment law
  • It is necessary to protect your vital interests or those of another person where you/they are physically or legally incapable of giving consent
  • The data subject has made the data public
  • It is necessary for the establishment, exercise or defence of legal claims
  • It is necessary for the purposes of occupational medicine or for the assessment of your working capacity

Note: Your choice of lawful basis under Article 6 (the legal basis for ‘general data) does not dictate which special category condition you must apply and vice versa. For example, if you use consent as your lawful basis, you are not restricted to using explicit consent for special category processing under Article 9. You should choose whichever special category condition is the most appropriate in the circumstances – although in many cases there may well be an obvious link between the two. For example, if your lawful basis is vital interests, it is highly likely that the Article 9 condition for vital interests will also be appropriate.

In our next blog we will look at what you need to do if there is a data breach.

If we can be of assistance please do not hesitate to contact us on 01702 216573 or email me at

Useful links

The information commissioner – Telephone number: 0303 123 1113

(Regulation 2016/679/EU)