Get in Touch Menu

What employers need to know about the General Data Protection Regulation and employee data

21 February 2017

The General Data Protection Regulation (GDPR) is a new data protection law for the EU covering the processing of data by businesses.

Whilst we will be leaving the EU at some point, the UK will still need to have equivalent laws to the GDPR. This is because, if businesses want to be able to trade in the EU, they will need to comply with EU rules. We will, therefore, be stuck with it, or something which looks very much like it.

The GDPR comes into force on 25 May 2018 when, by all accounts, we will still be in the EU anyway.

Currently, our Data Protection Act dates from 1998 – when 55% of US households did not own a computer. The current law describes a computer as “equipment operating automatically in response to instructions given for the purpose of processing information”. It’s now 2017, and our existing law is extremely out of date!

Under the GDPR, employee consent, to a business processing their data, must be as easy to withdraw as it is to give. Importantly, consent must be freely given – so, where a contract requires someone to consent to data processing which isn’t necessary for the performance of the contract, that consent may not be valid. Consent needs to be explicit and businesses must be able to prove that the consent has been given.

There will also be requirements to provide more information to employees, eg they must be informed of their rights (such as the ability to withdraw consent) and how long their data will be stored for.

Businesses will still be able to transfer employee data internationally at a group level, although it may be more difficult simply to rely upon employee consent (perhaps given in an employment contract) to do this. Employers will need to check that adequate information has been given to employees about the risks. The GDPR does nothing to address the problems which have arisen recently with the ‘safe harbour’ regime.

Under the GDPR, current and former employees will still be able to make data subject access requests in the same way, but businesses will have to respond within a month, rather than the current 40 days.

In addition, businesses will be legally required to report data security breaches to the authorities, without undue delay, and, where feasible, within 72 hours of becoming aware of the breach. However, a breach will only need to be reported if it is likely to result in a risk to ‘the rights and freedoms of individuals’. This can be difficult to assess, but we have helped clients with this process in the past.

The GDPR is not a radical change in legislation, and of course, if your existing employee consents meet the new conditions you do not need to take any action. However, we recommend that you review your data protection policies and consents before May 2018, to avoid any breach of the GDPR.

We will be running a breakfast seminar on data protection on 28 March at the National Star College. Please visit our events page for more information.

Matthew heads our employment team. He handles the full range of contentious and non-contentious employment law issues for clients. His particular specialisms include complex staff restructurings and employment issues concerning business transfers. Matthew is recommended by independent legal directory Chambers and Partners which describes him as ‘solutions-focused’ and ‘a solid and respected practitioner noted for his technical abilities’. He trained and worked at a City of London law firm.

We're here to help
Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
Matthew Clayton MA LLM (Cantab), CIPP/E
View profile
Mathew Clayton
Related services
Share this article
Resources to help

Related articles

Mental health & the Equality Act: tips for employers

Employment & business immigration

During Mental Health Awareness Week, employers may be thinking about things they can do to support employees suffering with their mental health. Besides the general duty of care that employers…

Jenny Hawrot LLB (Hons)

Employment law changes: a 2024 update

Employment & business immigration

Our employment law & business immigration team have put together a useful timeline to help you and your business keep on top of developments throughout the year. For several years,…

Klára Grmelová MGR (LLM Czech)

Navigating the future: protected beliefs in the workplace

Employment & business immigration

Our employment law & business immigration experts look into the challenges employers can face surrounding protected beliefs. In the past few years, we have witnessed a significant rise in employment…

Matthew Clayton MA LLM (Cantab), CIPP/E
Contact us