Expertise and advice so you're always one step ahead - sign up to receive the latest legal updates, events & seminar news
HomeInsights & thinkingWhat employers need to know about the General Data Protection Regulation and employee data
What employers need to know about the General Data Protection Regulation and employee data
21 February 2017
The General Data Protection Regulation (GDPR) is a new data protection law for the EU covering the processing of data by businesses.
Whilst we will be leaving the EU at some point, the UK will still need to have equivalent laws to the GDPR. This is because, if businesses want to be able to trade in the EU, they will need to comply with EU rules. We will, therefore, be stuck with it, or something which looks very much like it.
The GDPR comes into force on 25 May 2018 when, by all accounts, we will still be in the EU anyway.
Currently, our Data Protection Act dates from 1998 – when 55% of US households did not own a computer. The current law describes a computer as “equipment operating automatically in response to instructions given for the purpose of processing information”. It’s now 2017, and our existing law is extremely out of date!
Under the GDPR, employee consent, to a business processing their data, must be as easy to withdraw as it is to give. Importantly, consent must be freely given – so, where a contract requires someone to consent to data processing which isn’t necessary for the performance of the contract, that consent may not be valid. Consent needs to be explicit and businesses must be able to prove that the consent has been given.
There will also be requirements to provide more information to employees, eg they must be informed of their rights (such as the ability to withdraw consent) and how long their data will be stored for.
Businesses will still be able to transfer employee data internationally at a group level, although it may be more difficult simply to rely upon employee consent (perhaps given in an employment contract) to do this. Employers will need to check that adequate information has been given to employees about the risks. The GDPR does nothing to address the problems which have arisen recently with the ‘safe harbour’ regime.
Under the GDPR, current and former employees will still be able to make data subject access requests in the same way, but businesses will have to respond within a month, rather than the current 40 days.
In addition, businesses will be legally required to report data security breaches to the authorities, without undue delay, and, where feasible, within 72 hours of becoming aware of the breach. However, a breach will only need to be reported if it is likely to result in a risk to ‘the rights and freedoms of individuals’. This can be difficult to assess, but we have helped clients with this process in the past.
The GDPR is not a radical change in legislation, and of course, if your existing employee consents meet the new conditions you do not need to take any action. However, we recommend that you review your data protection policies and consents before May 2018, to avoid any breach of the GDPR.
We will be running a breakfast seminar on data protection on 28 March at the National Star College. Please visit our events page for more information.
Matthew heads our employment team. He handles the full range of contentious and non-contentious employment law issues for clients. His particular specialisms include complex staff restructurings and employment issues concerning business transfers. Matthew is recommended by independent legal directory Chambers and Partners which describes him as ‘solutions-focused’ and ‘a solid and respected practitioner noted for his technical abilities’. He trained and worked at a City of London law firm.
Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
The new Labour government has scrapped the Conservative bill that gives workers the right to request a predictable working pattern, in favour of stronger, more certain working hours. As well…
Changes to the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE) are now in effect for transfers taking place on or after 1 July 2024. The new rules relating…
The new ‘Tipping Act’ will come into force on 1 October 2024. The new Employment (Allocation of Tips) Act 2023 – also known as the Tipping Act – is to…
By clicking Accept you are agreeing to the use of all cookies which will allow us to provide you with the most relevant experience when visiting or re-visiting this website. This means that your personal preferences will be remembered when you use this website. You can change your consent or choose specific settings by clicking "Cookie Settings". By clicking "Reject All" we will not use any non-essential cookies. Essential cookies will still be used for the website to function properly. Please see our cookie policy and privacy notice for more information about how we process your personal data.
Our website uses cookies to improve your experience while you navigate through our website. Out of these cookies, the cookies that are categorised as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use our website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies but it may affect your browsing experience on our website. You can find our cookie policy here.
Necessary cookies are absolutely essential for our website to function and enable core functionality such as security and accessibility. These cookies do not store any personal information. You can block these cookies by changing your browser settings, but this may affect how the website functions.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
__cf_bm
30 minutes
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
mgref
1 year
This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes.
yt-player-headers-readable
never
The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-installed
session
The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period
session
The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app
session
The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name
session
The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY
never
The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
2 years
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat
1 minute
This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
_gid
1 day
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_s
1 year
This cookie is associated with Shopify's analytics suite.
G
1 year
Cookie used to facilitate the translation into the preferred language of the visitor.
vuid
2 years
Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
VISITOR_INFO1_LIVE
6 months
YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA
6 months
YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC
session
Youtube sets this cookie to track the views of embedded videos on Youtube pages.