Data protection for employers


  • Key to the current data protection legislation is that it places an onus on businesses to take responsibility for the protection of personal data they hold - and to demonstrate how they have done so.
  • Significant focus on the issue of consent to data processing – if you must rely upon consent rather than any other basis to justify processing data, it must be freely given, specific, informed and unambiguous.
  • Businesses must not presume that consent is given or rely upon pre-ticked boxes indicating consent or ‘consent by default’ whereby individuals have to actively ‘opt out’ to confirm that they do not consent.
  • The law provides individuals (e.g., employees) with the rights and ability to control their personal data and how it is used, including the right to withdraw consent to data processing at any time, and the right to be forgotten (although this is subject to a number of qualifications and caveats).
  • Data protection legislation also:
    • imposes strict data security requirements, such as an obligation to impose contractual conditions on other businesses which may process the personal data of its employees (e.g. an external payroll provider)
    • imposes a duty of accountability upon businesses and employers - businesses are expected to demonstrate that they understand their responsibilities in relation to data protection and the steps that they have taken to ensure that they comply with those (ignorance of those obligations is not a defence)
    • places a duty on most businesses (those that act as data controllers) to register with the Information Commissioner’s Office (ICO), and to pay an annual Data Protection Fee. There are three tiers of fee: Tier 1, £40, applies to businesses with no more than 10 employees and an annual turnover not exceeding £632,000; Tier 2, £60, for businesses with no more than 250 employees and a turnover of up to £36,000,000; and Tier 3, £2,900 for all other businesses. There are several exemptions to the requirement to pay the fee, the most common of which are likely to be where a business can show that they are only processing data for employee administration, advertising, marking and public relations, or that they process it for accounts and records only. The ICO maintains a full, updated list of the exemptions that may apply
    • places an obligation on certain businesses to appoint a Data Protection Officer
    • imposes a duty, where a business discovers it has been subject to a data breach, to notify data protection authorities within 72 hours of that breach, and also to notify the data subject, and
    • provides for tough penalties in the event of a data breach


  • The General Data Protection Regulation (GDPR) is the European legislation that forms the basis of the modern UK data protection laws. It has been incorporated into UK law as the ‘UK GDPR’ and through the Data Protection Act 2018.
  • One of the aims of the original GDPR was to produce a uniform system and standard of data protection across the EU. This would facilitate the easy transfer of data throughout the EU and impose uniform standards for the transfer of data in and out of the EU. Therefore, any organisation which employs people to work within the EU, if they offer goods or services in the EU, or if they monitor the behaviour of customers or individuals within the EU must still be aware of and comply with the EU GDPR.


  • There are six basic principles of data protection. These set out the universal set of ideals to be applied by all businesses:
  1. Lawfulness, fairness and transparency - personal data should be processed lawfully, fairly and in a transparent manner
  2. Purpose limitation - data should only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (i.e., you must not use the data for anything other than the purposes you state)
  3. Data minimisation -personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  4. Accuracy - data must be accurate and, where necessary, kept up to date. Where data is inaccurate, it should be erased or corrected without delay
  5. Storage limitation - data should be kept in a form which permits identification of the data subjects for no longer than is necessary for the purpose for which it is processed
  6. Integrity and confidentiality - data should be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised and unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
  • Further to these basic principles is the overarching obligation that businesses and employers are obliged to understand their duties in relation to data protection, to put in place systems and structures that allow them to comply, and to demonstrate how they meet these common ideals.


  • All businesses are obliged to publish a privacy notice, and this may be the easiest document to include information relevant to job applicants, unless a business wishes to include it into a dedicated data protection policy.
  • Employers and prospective employers alike are required to include specific and extensive information in these notices, such as:
    • information on their identity
    • how they intend to use the data collected in the course of the application process (this will include details collected when an individual visits a business’ website)
    • why it is being processed
    • how long the data will be retained
    • how the individual can raise a complaint
  • Employers should review their data protection policies, or privacy notices to ensure that they comply with these obligations and that they are kept up to date so that they accurately reflect the ways in which the business does capture, process and store data.


  • Many, if not most employers have historically relied upon the consent of their employees to process their personal data. However, the Information Commissioner’s Office (ICO) has long advised against relying upon consent, and the current data protection laws make it harder to do so.
  • Some employers presume that consent will be given by the employee and suggest that the employee only need do anything if they wish to ‘opt out’ and deny this consent to their personal data being processed. This approach is strictly prohibited.
  • More commonly, employers set out their employees’ consent in the contract of employment, and request that the employee signs as a positive statement of their consent. However, it is generally presumed that this practice is inadequate. Consent must be freely given. By placing the consent requirement in a contract of employment, the employee’s job is contingent upon the consent in a ‘take it or leave it’ situation. Therefore, the consent will not be freely given and so will not be valid.
  • Employers should first consider if consent is the only ground on which they can rely to justify processing employees’ personal data (alternative grounds include that it is necessary for the purpose of the legitimate interests of the employer or for the performance of the employment contract). However, if they do still require the consent of their employee, this must be demonstrated in the form of a ‘clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement’.
  • An employer must also explain to the employee that consent can be withdrawn at any time, before it is obtained, and it must be possible to withdraw that consent easily.
  • Therefore, a statement of consent should not be contained in the contract of employment, but should be set out in a separate document, and employee must be free to withdraw that consent.
  • The Information Commissioner has published guidance on the issue of consent.


  • Employees have increased rights to object to the processing of certain data, to restrict how it is used and to have it corrected or deleted all together.
  • If a valid application is made for data to be corrected or deleted, an employer must comply without delay. This may include a situation where an employee challenges the validity of the consent obtained or the content of the privacy notice.
  • Further, unless it is necessary for entering, or performance of, a contract between the employer and employee, is authorised by EU or UK law or is based on the employee’s explicit consent, employees have the right not to be subject to automated decision making, including profiling if it impacts on them legally or significantly.
  • This applies to matters such as automated short listing; performance management triggers for sickness absence; attendance bonuses; holiday or shift rostering.
  • The employee’s ‘right to be forgotten’, i.e., to have their personal data stored by an employer, only applies to data which is no longer legally and justifiably required by the employer. Therefore, if a former employee makes an application for their data to erased, this would not apply to, say, payroll data as the employer has a legal obligation to HMRC to retain that information for three years past the tax year to which they relate. Any such legal obligation trumps the employee’s right to request that the data is deleted until that retention period expires.


  • Where an employer engages a third party who may process the personal data of its employees, such as a payroll provider, they must provide detailed instructions to the service provider to authorise the performance of their tasks. The service provider will then be obliged to comply and may be subject to penalties if they fail to do so.
  • This is likely to lead to a change in the nature and details of the terms offered by such service providers to accommodate their own increased liability.
  • This has become particularly important for any UK businesses who employ or contract with individuals or businesses within the EU since the end of the Brexit transition period - see Data transfers with the EEA.


  • Public authorities and those organisations which regularly or systematically monitor individuals or process sensitive personal data (e.g., related to health, racial or ethnic origin) and personal data relating to criminal convictions and offences need to appoint a Data Protection Officer (DPO).
  • The DPO will be expected to be an expert in data protection law and will have significant responsibilities in ensuring compliance with the relevant data protection regulations.
  • The DPO may be employed or under a service contract. A group of undertakings may appoint a single DPO (conditional on accessibility by all), as may certain groups of public authorities.
  • Other organisations may decide a DPO is advisable to ensure compliance.


  • Subject Access Requests (SARs) are an opportunity for employees to check what data an employer holds about them, that it is being processed and stored correctly and who it is potentially being shared with. If they find that their employer does not hold the correct data, has collected data inappropriately, or has retained the data longer than they should without systematically reviewing and deleting, they are entitled to make a complaint to the Information Commissioner. The right of the employee to gain access to their data is intended to promote the principle of transparency and general compliance.
  • Employers must respond to a SAR ‘without delay’ and no later than one month - subject to a two-month extension for complex/multiple requests, although employers must notify the employee and explain why the extension is necessary within the normal one-month deadline.
  • Following a 2023 review of the use of SARs, the ICO has produced further guidance for employers. Whilst this does provide useful clarification on some common practical issues faced by the recipients of an SARs, and highlights some exceptions that apply, it also serves to remind data controllers of the importance of an individual’s right to access their personal data and how this should not be compromised readily and without good cause.
  • For more on SARs and some Q&As, see our separate guide.


  • If a business wishes to transfer data from the UK to anywhere else in the world, it must be sure that the data will remain adequately protected. It would also need to justify the reason as to why it needs to transfer the data overseas.
  • In many cases this is done through the framework of international agreements.
  • The UK aspires to maintain a ‘gold standard’ of data protection and, in many cases, incoming transfers of data are not an issue.
  • The GDPR had created a uniform standard of data protection for the EU and so any data transfers could be made with the European Economic Area (EEA) without any problem or the need for additional safeguards.
  • The UK government has confirmed that transfers from the UK to the EEA can lawfully continue without any additional safeguards. 
  • On 17 February 2021, the EU published draft data adequacy decisions which recognise the sufficiency of the UK’s data protection standards.


  • Breach of their data protection obligations could lead to onerous sanctions on employer, including fines, as well as an inspection and audit by the ICO.
  • Generally, the ICO’s approach in case of breaches made in an employment context has been to educate the parties involved and encourage and facilitate compliance where possible, with follow-up inspections to ensure that improvements have been made.
  • However, it has also been well publicised that significant fines have been issued in cases of serious or repeated breaches.
  • Employers are required to notify the ICO of any data protection breaches within 72 hours of becoming aware of a breach resulting in unauthorised loss, amendment or disclosure of data - unless the breach is unlikely to result in a risk to the rights of employees.
  • If there is a high risk to the data protection rights of any affected employees, employers also must communicate the breach promptly to the employees individually.
  • Failure to notify a breach when required to do so could result in a fine - in addition to any sanction for the breach itself.