Email Us 01473 688 100

Briefing Note

General Data Protection Regulation: Preparing for the change

This Briefing Note focuses on the GDPR from an employer’s perspective but many companies and other organisations will have other obligations under GDPR as well.

The GDPR is an EU regulation which, when it comes into force on 25 May 2018, will have direct effect on all member states – including the UK despite Brexit (at least for a short time!). Once Brexit happens it may well continue to apply to ensure retention of high levels of data protection and allow consistent data sharing across national borders.

The aim of the General Data Protection Regulation (GDPR) is to harmonise data protection laws across the EU and to deal with significant advances in information technology and approaches to information sharing.

The GDPR regime allows significant penalties to be imposed on businesses who breach the regulations, including fines of up to €20 million or, if higher, 4% of its worldwide turnover; a powerful incentive to comply.

Step 1 | Demonstrate compliance

The first step is to review data protection policies and contractual requirements with external data processors (e.g. payroll). As will be seen below, there are a number of changes under the GDPR and so revisions are very likely to be necessary for both employers and suppliers, who will need to ensure they are demonstrating data security and compliance with the GDPR.  It will not be sufficient simply to say you and they are complaint.

If new HR systems are being considered, they should be built and contractual arrangements agreed with the GDPR requirements in mind.

Step 2 | Data audit

Most employers process significant amounts of data relating to employees including, for example, computer log data, websites visited, telephone calls, emails made/sent and received, CCTV and personnel data. Much of the data will be unstructured and may include sensitive personal data.  For example, a text from an employee to their manager saying they are unwell and unable attend work and the manager relaying this or making a record of it, is the processing of sensitive personal data.  Despite the unstructured nature of much of the data and lack of actual control over that data, the employer remains the data controller and owes various obligations.

A data audit must be carried out to establish what data is being processed within the organisation and where there may be any gaps in GDPR compliance.

Currently, employers rely on employee consent to justify processing of personal data about them.  This is subject to criticism given the unequal relationship between employer and employee and whether the employee can give their consent freely in these circumstances.

Consent remains an option but under GDPR the conditions for relying on consent are more detailed and stricter. Consent must be given freely.  It will not be freely given where the consent is a condition of their employment, for example, included in their employment contract. Ultimately, consent under the GDPR is going to be difficult to rely on for general use in the employment relationship, but could be used for one off matters such as obtaining a medical report.

Processing can be undertaken lawfully in other ways set out in Article 6 of GDPR.  The most likely to be relied on by employers is the processing is necessary for the purposes of the legitimate interests of the employer.

Step three should be to establish the grounds under the GDPR on which you can and will be able to lawfully process data.

Step 4 | Privacy notices

Existing laws require employers to provide employees and job applicants with a privacy notice, which sets out the purposes for which the data is being processed and any information that needs to be provided to ensure fair processing of that information. The GDPR, under Article 12, requires that all information provided must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”. Employers will generally need to provide more detailed information in their privacy notices, including:

  • The period for which the data will be stored,
  • Information on data subject rights, including the right to make a subject access request and rectification and erasure (the right to be forgotten/have data erased).
  • The right to object to processing on certain grounds.
  • The right to withdraw consent (where the employer is relying on consent as the legal basis for processing).

The amount of information that employers will have to provide is significantly more than is currently required.  Step four is to review and update privacy notices.

Step 5 | Data subject rights

The GDPR extends data subjects’ rights which will include the following:

  • The right to erasure.
  • The right to have data rectified.
  • The right to restrict the processing of personal data.
  • The right to object to the processing of personal data.

There are various triggers which allow the above rights to be exercised. For example, where personal data is no longer necessary for the purpose for which it was collected or processed the data subject has the right to have that personal data erased.

The rights of data subjects will impact the employment relationship in a number of ways.  By way of example there is likely to be tension between an employer pursuing its “legitimate interests” and an employee seeking to restrict the processing of data on the basis of his or her right to privacy.  Organisations need to familiarise themselves with these changes to the rights of the data subject.


The above is a very broad overview and we will be publishing further detailed guidance in due course via hrlegalnews.

Book a phone consultation

Apply for a FREE phone consultation with one of our experienced employment law solicitors to discuss your case, how we can help and how much it is likely to cost.

Selected evening and weekend appointments available.

Tell us about your case

Our online form is the easy way to tell us about your case and employment details.

Short of time? Our ‘save and resume’ features let you save your answers and complete the form later.

Reasons to Choose
Quantrills Solicitors

Trusted advice

Attention to attention

Speed of response

Pragmatic solutions

Becoming our client is a straightforward process. However, before choosing Quantrills as your employment law solicitors you’ll want to be completely sure we are the right people to help you achieve your objectives. Having looked at our web site, if you like our approach and would like to discuss how we can help you, getting started is easy.

Step 1

Get in Contact

Contact us and tell us a little about your problem and the help you are looking for.

Step 2

We’ll contact you

We’ll follow up with a free no obligation initial telephone call or email to discuss your case.

Step 3

Invitation to become our client

Provided we are happy we can help you, we’ll invite you to become our client.

Step 4

You instruct us

If you agree to our invitation, you simply have to confirm this is writing or by email and confirm your instructions.

Step 5

We’ll start to act for you

Congratulations! You are now a client of Quantrills and we’ll start work on your instructions.

At Quantrills we are flexible in how we work with you and how we progress your case...

In Person

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Get Directions

By Telephone

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

01473 688 100

Or request a call back

By Online Form

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

View Forms

By Email

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Email us

FREE Employer

Subscribe to our email based hrlegalnews to receive details of our Knowledge Bank & HR Updates updates and our forthcoming events.

Client Testimonials

View more