Employers and bookkeepers gather and process a huge amount of employee personal data in the pursuit of paying on time and accurately. In this regard, there are two terms to explain:
1. ‘Personal data’ – means any data that can identify a living individual, for example, the name or National Insurance Number; and
2. ‘Processing’ – means any action performed with personal data, for example, gathering, recording, reporting etc
The Data Protection Act 2018 contains the United Kingdom General Data Protection Regulation (UK GDPR) which provide the data protection principles when processing this personal data. Essentially, this means employers need to ensure they have a legal basis for processing and be able to demonstrate / explain this to employees if it is queried.
The Data (Use and Access) Act 2025 updated the UK GDPR and has provided a seventh lawful reason for processing data and we detail these below:
1. Consent – i.e. the individual has agreed for the data to be processed;
2. Contractual – i.e. processing is necessary for the performance of a contract
3. Law – i.e. the reason for processing is because of a legal obligation on the employer;
4. Protection – i.e. processing of data is required to protect the individual’s interest (or those of another individual);
5. Public interest – i.e. it is necessary to process personal data as this is in the public interest;
6. Legitimate interests – i.e. the employer is processing the data for their own legitimate interests; and
7. Recognised legitimate interest – the additional legal right and all to do with protecting against, detecting, investigating or preventing crime or safeguarding vulnerable individuals
For Bookkeepers
The addition of a seventh lawful reason as to why an employer might process data does not change the three most common reasons that bookkeepers and employers will have:
1. Contractual;
2. Statutory; and
3. Legitimate interest of the employer
The consent of an employee is unlikely to provide a lawful basis for processing most employee data.
The seven legal reasons for processing data should not be confused with the seven UK GDPR principles which regulate how personal data is collected, processed and stored. These are:
1. ‘Lawful, fair and transparent’ – with lawful linking back to the above seven reasons for processing;
2. ‘Purpose’ – i.e. there must be a reason why data is collected;
3. ‘Minimal’ – i.e. the data must be adequate, relevant and limited to what is necessary;
4. ‘Accurate’ – meaning that it must be kept up to date;
5. ‘Stored for limited time’ – i.e. data should not be kept longer than necessary;
6. ‘Secure’ – i.e. there must be appropriate protection against unauthorised or unlawful processing, accidental loss, destruction or damage; and
7. ‘Accountability’ – i.e. someone must take responsibility for the data at the organisation, which may mean a Data Protection Officer (DPO) is appointed
