Autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et dolore feugait

The GDPR and Employment Law

The General Data Protection Regulation (the GDPR) is due to come into force on 25 May 2018, this is only a year away, which as we know will fly by. The GDPR was written to create a culture shift in how organisations handle personal data, non-compliance will result in greater penalties. 

Overall the GDPR provides individuals with the right: 

(a) to be informed; 

(b) of access; 

(c) to rectification; 

(d) to erase; 

(e) to restrict processing; 

(f) to data protection; 

(g) to object and 

(h) not to be subject to automated decision making and profiling. 

The GDPR is a complex piece of legislation, so to save you all trawling through it, I’ve picked eight issues which businesses should start considering: 

1. Consenting to the processing of employee data

Currently, employers justify processing employee data on the basis of consent in the contract of employment. The GDPR sets out that consent should be (a) freely given (b) specific (c) informed and (d) unambiguous. 

This will mean employers will have to inform employees that they can withdraw their consent at any time. Employers should consider reviewing and revising employment contracts

2. Data breach response plan

The GDPR requires mandatory breach reporting. Whether it is an accidental breach or unlawful loss of data, employers will have to notify the data protection authority unless there is very low risk of causing harm to individuals. It will be mandatory for the individual to be informed. 

If a business does not have an adequate breach response programme, one should be drafted and employees need to be trained on it (after all there is no point in having a programme if no one knows about it!) 

3. Detailed information for job applicants and employees 

Currently, employers are required to provide job applicants and employees with a privacy notice, setting out which data is processed and how. This is often within a ‘data protection policy’. 

The GDPR requires significantly more information, detailing how long the data will be stored, if it will be transferred to other countries, information on Subject Access Requests (SAR’s) and information on the right for the personal data deleted or rectified in certain circumstances. 

The information must be concise, transparent, easily accessible and in plain language. Employers will need to update their data protection policy

4. SARs

The 40-day compliance deadline will be changed to compliance without undue delay and within one month. Extensions, of up to two months, may be granted for complex requests. 

The £10 fee will be removed and instead employers will have the right to request a reasonable fee where the SAR is manifestly unfounded or excessive. 

Businesses will need to ensure that staff are trained within the new SAR regime. Policies may need to be updated. 

5. Rights to delete, freeze and correct information 

As the words suggest employees will be able to request employers to delete, freeze and correct information held about them. Where requests are excessive employers will have the right to charge a fee for complying with their request. 

Individuals in HR roles will need to understand the legal basis of these developments and implications of failure. 

6. Relationships with data processors 

Third parties such as payroll companies will often process employee data (‘Data Processors’). The rules surrounding Data Processors will become stricter as they will have a duty to comply with potential liability if they fail to do so. 

Businesses will need to ensure whether current arrangements are fit for purpose

7. Automated decision making

Employees have the right not to be subjected to automated decision making e.g. performance management thresholds, triggers for sickness absence and/or attendance bonuses. 

Businesses will need to review automated decision making and consider alternative mechanisms for making these decisions. 

8. Audit ready 

Employers will need to prove compliance, and this will require having records and policies in place to evidence compliance. Data protection impact assessments will become increasingly important. 

Records should be kept in an organised fashion and clear lines of responsibility detailed. Consideration should be given on the impact on current employees and their job roles. 


It is clear that businesses will need to plan business-wide strategy as to compliance with the GDPR and employment data is likely to form a considerable part of the strategy in most businesses. 

Here at SCE Solicitors, we have a wealth of experience in assisting employers on all issues relating to the GDPR.  If you would like to discuss compliance or any other employment law issue, please contact us on 01133 50 40 30 or at hello@scesolicitors.co.uk.

If you would like to be kept up to date with employment law and dispute resolution updates, please subscribe to our monthly newsletter.

SCE Solicitors is a boutique employment law and dispute resolution practice based in Leeds which advises clients nationwide.  Please note that the information in this blog is to provide information of general interest in a summary manner and should not be construed as individual legal advice. Readers should consult with SCE Solicitors or other professional counsel before acting on the information contained here.

Samira Cakali

Samira Cakali is a pragmatic and approachable solicitor advocate with extensive contentious and non-contentious experience in the fields of employment law as well as civil litigation, within a range of commercial businesses from SME’s to multinationals as well as senior executives.

%d bloggers like this: