Call us now 01473 688100

General Data Protection Regulation: Preparing for the change

Posted on 13th September 2017
Must read Briefing note

The aim of the General Data Protection Regulation (GDPR) is to harmonise data protection laws across the EU and to deal with significant advances in information technology and approaches to information sharing. This Briefing Note focuses on the GDPR from an employer’s perspective but many companies and other organisations will have other obligations under GDPR as well.

On this page

Meet the author

Marsha Robinson Marsha
Solicitor Telephone: 01473694403
The GDPR is an EU regulation which, when it comes into force on 25 May 2018, will have direct effect on all member states - including the UK despite Brexit (at least for a short time!). Once Brexit happens it may well continue to apply to ensure retention of high levels of data protection and allow consistent data sharing across national borders.

The GDPR regime allows significant penalties to be imposed on businesses who breach the regulations, including fines of up to €20 million or, if higher, 4% of its worldwide turnover; a powerful incentive to comply.

Step 1 | Demonstrate compliance

The first step is to review data protection policies and contractual requirements with external data processors (e.g. payroll). As will be seen below, there are a number of changes under the GDPR and so revisions are very likely to be necessary for both employers and suppliers, who will need to ensure they are demonstrating data security and compliance with the GDPR.  It will not be sufficient simply to say you and they are complaint.

If new HR systems are being considered, they should be built and contractual arrangements agreed with the GDPR requirements in mind.

Step 2 | Data audit

Most employers process significant amounts of data relating to employees including, for example, computer log data, websites visited, telephone calls, emails made/sent and received, CCTV and personnel data. Much of the data will be unstructured and may include sensitive personal data.  For example, a text from an employee to their manager saying they are unwell and unable attend work and the manager relaying this or making a record of it, is the processing of sensitive personal data.  Despite the unstructured nature of much of the data and lack of actual control over that data, the employer remains the data controller and owes various obligations.

A data audit must be carried out to establish what data is being processed within the organisation and where there may be any gaps in GDPR compliance.

Step 3 | Establish legal ground for data processing

Currently, many employers rely on employee consent to justify processing of personal data about them.  This is subject to criticism given the unequal relationship between employer and employee and whether the employee can give their consent freely in these circumstances.

Consent remains an option but under GDPR the conditions for relying on consent are more detailed and stricter. Consent must be given freely.  It will not be freely given where the consent is a condition of their employment, for example, included in their employment contract. Ultimately, consent under the GDPR is going to be difficult to rely on for general use in the employment relationship, but could be used for one off matters such as obtaining a medical report.

Processing can be undertaken lawfully in other ways set out in Article 6 of GDPR.  The most likely to be relied on by employers is the ground that the processing is necessary for the purposes of the legitimate interests of the employer.

Step three should be to establish the grounds under the GDPR on which you can and will be able to lawfully process data.

Step 4 | Privacy notices

Existing laws require employers to provide employees and job applicants with a privacy notice, which sets out the purposes for which the data is being processed and any information that needs to be provided to ensure fair processing of that information. The GDPR, under Article 12, requires that all information provided must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”. Employers will generally need to provide more detailed information in their privacy notices, including:

  • The period for which the data will be stored,
  • Information on data subject rights, including the right to make a subject access request and rectification and erasure (the right to be forgotten/have data erased).
  • The right to object to processing on certain grounds.
  • The right to withdraw consent (where the employer is relying on consent as the legal basis for processing).
  • The amount of information that employers will have to provide is significantly more than is currently required.  Step four is to review and update privacy notices.

Step 5 | Data subject rights

The GDPR extends data subjects' rights which will include the following:

  • The right to erasure.
  • The right to have data rectified.
  • The right to restrict the processing of personal data.
  • The right to object to the processing of personal data.
There are various triggers which allow the above rights to be exercised. For example, where personal data is no longer necessary for the purpose for which it was collected or processed the data subject has the right to have that personal data erased.

The rights of data subjects will impact the employment relationship in a number of ways.  By way of example there is likely to be tension between an employer pursuing its “legitimate interests” and an employee seeking to restrict the processing of data on the basis of his or her right to privacy.  Organisations need to familiarise themselves with these changes to the rights of the data subject.


The above is a very broad overview and we will be publishing further detailed guidance in due course via hrlegalnews.

Clear, concise and accurate information for employers and HR professionals

Visit the hrlegal archive

Find out how we can help you

Click here to contact us or phone us 01473 688100

Keep your legal costs down with

Professional telephone and email advice and guidance for solving your everyday employment law and HR issues

No waffle, well written employment law updates and HR news articles, including case reports, helping employers and people managers keep up to date with what's important

Fixed-cost review and benchmarking against current legislation and best practice of your employment contracts and HR policies and procedures

Bespoke contracts of employment, policies and procedures that are legally robust, protect your organisation and comply with HR best practice

Related articles