The General Data Protection Regulation – A Guide For Employers

Dealing with employee data can be a nightmare for employers. It raises a number of issues concerning what type of data an employer may be entitled to obtain, retain and pass on to third parties.

In this guide, David Hession, Employment Law Associate, sets out steps that employers can take in order to comply with the new  General Data Protection Regulation (GDPR) due to come into force on 25th May  2018. Whilst this guidance focuses on employee data, employer organisations may also hold data on various other individuals such as students, patients, service users or suppliers.     

general data protection regulation

Review Your Existing Policies And Procedures

Under the new GDPR, the maximum fines imposed on employers for breaching data protection is set at up to 20 million euro, or 4% of total worldwide turnover, whichever is higher. If companies want to avoid these penalties, then it is in their best interests to review their existing procedures.

The first step that employers should take is to ensure that their policies and procedures are updated in order to adhere to the new regulation. To supplement this, employers may also consider implementing data protection training for employees, particularly those who undertake a management function.

It is a common excuse for employees to say that they were unaware of changes to the employer’s policies. Excuses such as these will not serve as a defence in the event of a data security breach. By providing adequate training or putting guidelines in place, employers can help to avoid liability.

It is important that employers understand their duties towards their staff when it comes to holding personal data on file, so that appropriate procedures can be implemented.         

Dealing With Subject Access Requests


As many employers will already be aware, subject access requests occur when an employee makes a written request for information in accordance with their rights under the Data Protection Act.

The timeframes for dealing with any subject access requests will change from 40 days to one month under the GDPR. Employees will have the right to request that any personal data about them be erased, provided certain conditions are met. Data that is no longer necessary for the purposes it was collected is likely to fall into this category.

Under the new regulation, employers are required to inform any other organisations who hold this data that the individual has requested erasure of this information. Employers should also have a clear awareness of the limited circumstances where subject access requests may be rejected, e.g.  where the request is unfounded or excessive.    

Auditing Or Reviewing Existing Data

It is important for employers to conduct an audit on the existing data that they have and how this has been obtained. The GDPR contains more stringent obligations in relation to employee consent. Employees must also be informed of their right to withdraw their consent at any stage.

Employers are not required to obtain fresh consent for employee data that has already been gathered. However, it is important to ensure that any consent provisions put in place are consistent with the new GDPR consent requirements.

An example of this may include where employers gather sensitive data in relation to racial origin or religious beliefs. Under the new regulation, clear and explicit consent must be given whilst employees are informed of their right to withdraw consent at any stage.

Report Any Breaches

The GDPR imposes an obligation on employers to report any data protection breaches to the Information Commissioner’s Office. The maximum time frame for reporting such a breach is 72 hours. Employers can deal with this new requirement by amending their policies and making staff aware of the changes. Organisations may also consider training their staff, particularly those employees who handle large amounts of data on a daily basis.

Appoint A Data Protection Officer

The GDPR sets out that certain categories of employers need to appoint a data protection officer. This includes public bodies and organisation who process and monitor data on a large scale. Even if you do not fall into this category as an employer, it may be good practice to appoint someone who is responsible for employee data.

This does not necessarily have to involve a specialist role. To ensure accountability employers may want to include this responsibility within an employee’s job specification. This helps employers to designate a point of contact in case other employees have queries or concerns in relation to data protection issues.

Simpson Millar Can Help You With The General Data Protection Regulation

To avoid fines, or simply improve your understanding of data protection regulations, contact one of Simpson Millar's Employment Law specialists today. 

Contact our employment law solicitors now to get the employment law advice you need. We can help you by completing our, no obligation, online enquiry form and we will call you back or you can call us directly on freephone: 0808 129 3320.

Get In Touch

David Hession | Associate, Employment Law | Simpson Millar LLP

David Hession
Associate, Employment Law

View profile