Until now, most employers have relied upon their employees’ consent in order to process their personal data. But, under the GDPR, the requirements for consent will be much stricter. Particularly in the employment context, where it is generally accepted that the imbalance of power between the employer and employee is likely to invalidate any consent given by the employee.
Nevertheless, all is not lost. Consent is only one of a number of potential legal bases for processing employees’ data. Employers will therefore need to consider whether any of the available alternatives are appropriate for their processing requirements.
In this context, employers may turn increasingly to “legitimate interests” as a lawful basis for processing. The legitimate interests ground is potentially wide in scope and flexible but, as the Information Commissioner’s Office (ICO) warns in its latest guidance, employers should not assume it will be appropriate in all cases. Essentially, a proportionality assessment is required.
The ICO guidance requires employers to apply a three stage test:
- Purpose test: identity the legitimate interest;
- Necessity test: assess whether the processing is necessary to achieve that interest; and
- Balancing test: balance the legitimate interest against the individual’s interests, rights and freedoms.
Where an employer can reasonably achieve the same result in a less intrusive way the legitimate interests basis for processing will not apply.
The ICO guidance refers to the process of considering – and documenting – the analysis under the three stage test as an “LIA” (legitimate interests assessment). An LIA is intended to be a “type of light-touch risk assessment”. Although not a mandatory requirement under the GDPR, the ICO’s view is that carrying out an LIA will help the employer to ensure its processing satisfies the three stage test above and is therefore lawful. In addition, an LIA may also assist in demonstrating GDPR compliance generally in line with the broader accountability obligations.
Carrying out an initial LIA is not the end of the story however: LIAs should be kept under review and re-considered if there is a significant change in the purpose, nature or context of the processing. In addition, in more complex or intrusive cases or where an LIA identifies any significant risks, a full in depth DPIA (data protection impact assessment) may still be required. There will inevitably be grey areas, and whether or not the new LIA provides for a genuinely “light touch” or simply adds yet another stage to the process remains to be seen.