5 things employers need to know about GDPR!


GDPR – 4 letters that has everyone concerned (and with good reason).

The GDPR is a new EU regulation that will come into force on 25 May 2018. The GDPR means employers need to rethink how personal data is collected, used and kept. Both employers and employees now have new responsibilities to consider to help ensure compliance.

What is the GDPR?

The GDPR (General Data Protection Regulation) is a new and complex regulation that seeks to create a shift in how organisations handle personal data. Its role is to ensure that data processing and protection are up-to-date and current with today’s technological advancements and cultural change.

What do I need to know?

Although there are few dramatic changes to data protection from an employment law perspective, there are a few changes which employers should be aware of. Here are 5 of them.

1. Consent

It’s common for UK employers to include a data protection clause in an employment contract. Consent to data processing is given when an employee signs an employment contract. Currently, consent is a legitimate reason for processing employee data.

Employers, post-25 May, will no longer be able to rely on the employee’s consent as a legal basis for processing employee’s data lawfully due to changes from the GDPR.

Consent under the GDPR must be ‘freely given, specific, informed and unambiguous’. Consent from an employee will no longer be ‘freely given’ due to the unequal nature of the employer and employee relationship.

Employers should review their employment contracts and check to make sure any data protection clauses comply with the GDPR. For example, that employers have another legal basis (i.e. not consent) for processing employee data. Examples of these legal bases could be:

  • Processing employee data is a legitimate business interest for the employer. This means that the employer needs to process data in order to function as a business or make business decisions.
  • Processing employee data is necessary for the performance of the employment contract. This means that the employer processes employee data in order for the employee to carry out their work.

The latter is arguably easier to prove, as it’s common sense that the employer will have to process some data in order for the employee to work.

2. Subject Access Requests

Subject Access Requests (SARs) are a familiar concept. We already have SARs under current data protection laws. They allow individuals to find out what personal data is being held by them, why the organisation is holding it and who their information is disclosed to by the organisation.

According to ICO statistics, mishandling of SARs is the number one data protection issue complained about by the public. In 2016, 42% of 18,000 data protection-related complaints lodged with the ICO concerned individuals’ rights to access their personal data held by organisations.

The right for employees to gain access to personal data that their employer holds about them is the key principle of the Data Protection Act and will continue to be so under the GDPR. There are, however, a number of key differences employers must be mindful of:

  • Time to respond – Employers must respond to a SAR ‘without undue delay and in any event within one month of receipt of the request’. This shortens the previous 40 day limit under the Data Protection Act.
  • Fee – Employers can currently charge up to £10 for carrying out a SAR. Under the GDPR, this fee will be scrapped and the information must be provided free of charge. 
  • Electronic access – Employers must make it possible for employees to make SARs electronically. An employee could even make a SAR using your company Facebook or Twitter page.

Therefore, it’s important that employers check their internal policies including their Data security and data protection policy, as well as implementing new policies such as a Privacy notice. You should also train staff (eg your HR department) to identify when a request from an employee is a SAR and ensure they are aware of the new shorter deadline.

3. More detailed privacy notices

Under current law, employers are required to provide employees and job applicants with a Privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:

  • how long data will be stored for;
  • if data will be transferred to other countries;
  • information on the right to make a subject access request; and
  • information on the right to have personal data deleted or rectified in certain instances.

Therefore you should review your current Privacy notices and update them to comply with the more detailed requirements of the GDPR.

4. Data breach response plan

The GDPR requires employers to report any data breaches. If there is an accidental or unlawful loss of personal data, the employer will have to notify the ICO promptly unless there is a low risk of causing harm to their employees. This will require a quick assessment of the likely risk. The employees will have to be notified if the breach poses a high risk to their rights and freedoms.

If the business does not have an adequate data breach response programme in place, one should be prepared. Employees will then need to be trained on its requirements.

5. Be audit ready

Knock, knock. Who’s there? The ICO.

It will be up to employers to prove compliance and the ICO can come knocking on your business without any warning to check you’re compliant. In practice, this will mean that the employer will need to have one or more data protection policies in place that demonstrate that the processing of personal data is performed in compliance with the GDPR. Data protection impact assessments will become increasingly important, and should not be forgotten.

Ensure documentary records are in place, and ensure there are clear lines of responsibility. Consider the impact of this on current employees, and their job roles.

So why should you care?

The big €20 million question. Well, if you’re found to be non-compliant with the GDPR you could be fined up to a maximum of €20 million or 4% of your turnover, whichever is greater. And remember the ICO can check-up on you without any warning. So it’s more important than ever for employers to prepare for compliance.

You should get a solicitor to review your current agreements with your customers, vendors and suppliers. A GDPR check will identify which documents need to be redrafted. If you and/or your business need help to comply with the GDPR, Ask a lawyer about our GDPR audit and compliance service

Alan Cheung