Where somebody’s photo is being used next to their name on a website (or on the office wall) this will be an act of processing personal data. The photo may also reveal ethnicity or racial origin, somebody’s religious belief, perhaps because they’re wearing a headscarf, or the physical effects of a disability, so it could be special category personal data too.
You have to process the images lawfully, fairly and transparently. The use of images may be to generate goodwill and harmony within the workplace and to promote the employer’s business externally to others, in both cases this could be explored as a means of establishing a legitimate interest as a lawful basis for using the photos. You may like to record a legitimate interests assessment to document this (we have a checklist you can use for this).
You also need to provide fair processing information to staff to ensure they are aware of how this data is going to be processed. Where the picture does show special category personal data, then the organisation is going to have to establish at least one lawful basis under article 6 of GDPR and an exception under article 9 in order to process it. This will be explicit consent from the employee. Then, unfortunately, the employee is always going to have the ability to remove that consent and leave you with a blank space or gap.
Where an employee has a photograph taken with their consent but it is then used in a way in which they were not informed and to which they didn’t consent, may also have legitimate reasons to complain. For that reason, it is important to obtain the consent in writing so you can establish what purposes you have set out to the employee. Requesting the employee signs an image release form that details how the image is going to be used, and so the employee can provide appropriate consent to that use, will also help you in relation to privacy arguments. We can provide you with such an image release form if you wish.