Data protection - General Data Protection Regulation (GDPR)


  • The General Data Protection Regulation (GDPR) came into force on 25 May 2018.
  • Creates a single approach and framework for data protection and control across the EU and accommodates the advances in and use of technology in business.
  • Creates an onus on businesses to take responsibility for the protection of personal data they hold - and to demonstrate how they have done so.
  • Significant focus on the issue of consent to data processing – which must be freely given, specific, informed and unambiguous.
  • Prohibits the use of pre-ticked boxes indicating consent or ‘consent by default’.
  • Provides individuals (e.g. employees) with much greater control of their personal data including the right to withdraw consent to data processing at any time, and the right to be forgotten.
  • Imposes further data security requirements, such as an obligation to impose contractual conditions on other businesses which may process the personal data of its employees (e.g. an external payroll provider).
  • New requirements of accountability whereby employers must be able to prove that they have completed with GDPR requirements.
  • Creates and obligation on certain businesses to appoint a Data Protection Officer.
  • New duties in relation to the notification of any data breaches, including the duty to notify data protection authorities within 72 hours of a breach.
  • New, tougher penalties in the event of a data breach, including fines of up to €20 million or 4% of worldwide turnover, whichever is higher.


  • The GDPR replaces the EU’s Data Protection Directive of 1995 – enacted in the UK as the Data Protection Act 1998 (DPA 1998). The new regulation, unlike the directive it replaces, is directly applicable in all EU member states and therefore wil be law in this country whilst the UK remains part of the EU. It has been implemented into national law by the Data Protection Act 2018.
  • Even if this were not the case, the GDPR will apply to any organisation which employs people to work within the EU, if they offer goods or services in the EU, or if they monitor the behaviour of customers or individuals within the EU.
  • In short, therefore, if your business was subject to the DPA 1998 , then it will also be subject to the GDPR.


  • The basic principles of data protection set out in the GDPR are very similar to those previously contained in the DPA 1998, although they have been reduced from eight to six. They set out the main intention of the regulation and spirit in which they are intended, and provide a universal set of ideals to be applied across the EU:
  • Lawfulness, fairness and transparency – personal data should be processed lawfully, fairly and in a transparent manner
  • Purpose limitation – data should only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Data minimisation – personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accuracy – data must be accurate and, where necessary, kept up to date. Where data is inaccurate, it should be erased or corrected without delay
  • Storage limitation – data should be kept in a form which permits identification of the data subjects for no longer than is necessary for the purpose for which it is processed
  • Integrity and confidentiality – data should be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised and unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
  • A principal difference with the DPA 1998 is the way in which the GDPR prescribes and obliges employers to meet these common ideals.


  • Under the DPA 1998 organisations were expected to provide information to employees and job applicants about the collection of their personal data in a ‘fair processing/privacy notice’. Many did this in the form of their own data protection policy.
  • The GDPR requires (prospective) employers to include far more extensive information in these notices, such as:
  • information on their identity
  • how they intend to use the data
  • why it is being processed
  • how long the data will be retained
  • how the individual can raise a complaint
  • In light of these additional requirements, employers should review their data protection policies, or privacy notices to ensure that they comply.
  • Many, if not the majority, of employers rely upon the consent of their employees to process their personal data. However, the Information Commissioner's Office (ICO) has long advised against relying upon consent, and the GDPR makes it harder to do so.
  • Some employers presume that consent will be given by the employee, and suggest that the employee only need do anything if they wish to ‘opt out’ and deny this consent to their personal data being processed. This approach is strictly prohibited by the GDPR.
  • More commonly, employers set out that their employees’ consent in the contract of employment, and request that the employee signs as a positive statement of their consent. However, under the GDPR, it is unlikely that this practice will be deemed adequate.
  • Under the GDPR, consent must be freely given. By placing the consent requirement in a contract of employment, the employee’s job is contingent upon the consent in a ‘take it or leave it situation’. Therefore, the consent will not be freely given and so will not be valid.
  • Employers should first consider if consent is the only ground on which they can rely to justify processing employees’ personal data (alternative grounds include that it is necessary for the purpose of the legitimate interests of the employer or for the performance of the employment contract). However, if they do still require the consent of their employee, the GDPR requires a ‘clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement’.
  • An employer must also explain to the employee that consent can be withdrawn at any time, before it is obtained, and it must be possible to withdraw that consent easily.
  • Therefore, a statement of consent should not be contained in the contract of employment, but should be set out in a separate document, and employee must be free to withdraw that consent.
  • The Information Commissioner has developed guidance on the issue of consent under the GDPR and you should keep an eye on the ICO data protection reform section of its website.


  • Under the GDPR, employees have new and increased rights to object to the processing of certain data, to restrict how it is used and to have it corrected or deleted all together.
  • If a valid application is made for data to be corrected or deleted, an employer must comply without delay. This may include a situation where an employee challenges the validity of the consent obtained or the content of the privacy notice.
  • Further, unless it is necessary for entering into, or performance of, a contract between the employer and employee, is authorised by EU or UK law or is based on the employee’s explicit consent, employees have the right not to be subject to automated decision making, including profiling if it impacts on them legally or significantly.
  • This is likely to apply to matters such as automated short listing; performance management triggers for sickness absence; attendance bonuses; holiday or shift rostering.


  • Where an employer engages a third party who may process the personal data of its employees, such as a payroll provider, they have to provide detailed instructions to the service provider to authorise the performance of their tasks. The service provider will then be obliged to comply, and may be subject to penalties if they fail to do so.
  • This is likely to lead to a change in the nature and term offered by such service providers to accommodate their own increased liability.


  • Public authorities and those organisations which regularly or systematically monitor individuals or process sensitive personal data (e.g. related to health, racial or ethnic origin) and personal data relating to criminal convictions and offences need to appoint a Data Protection Officer (DPO).
  • The DPO will be expected to be an expert in data protection law and will have significant responsibilities in ensuring compliance with the GDPR.
  • The DPO may be employed or under a service contract. A group of undertakings may appoint a single DPO (conditional on accessibility by all), as may certain groups of public authorities.
  • Other organisations may decide a DPO is advisable to ensure compliance with the GDPR.


  • Employers are already used to receiving SARs from employees. The GDPR expands upon individuals’ rights to require that data processors delete, correct or restrict the processing of their personal data and imposes additional obligations on employers to promote the principle of transparency.
  • Employers now have to respond to a SAR without ‘undue delay’ and no later than one month rather than the previous 40 days - subject to a two-month extension for complex/multiple requests, although employers must notify the employee and explain why the extension is necessary within the normal one-month deadline.
  • Employers have lost the right to charge a standard fee of up to £10 for any SAR but they are entitled to charge a reasonable fee in respect of administrative costs where a request is manifestly unfounded or excessive.
  • Responses will have to include certain information, including the legal basis for processing personal data, the data retention period, details of any transfers outside the EEA and any relevant safeguards, the employee’s right to have inaccurate data corrected and the employee’s right to make a lodge a complaint with the ICO.
  • The method of delivery should match the request; if the request is made electronically, the response should be electronic as well (most likely by way of a file sharing platform).
  • The Data Protection Act 2018 makes it a criminal offence to alter records with the intent to prevent disclosure following a SAR, which will be punishable by an unlimited fine.
  • Employees have the right to require data is deleted or rectified. They will be entitled to check data (by making a SAR) and then demand it is deleted on one of a number of grounds (e.g. if the data is no longer necessary for the purpose for which it was obtained).
  • Where data is alleged to be inaccurate, employers will also have to check and, if necessary, amend the data and they will be restricted as to how to use such data in the interim.


  • Breach of the GDPR may lead to onerous sanctions which will heavily penalise compliance failures.
  • Infringements of any of the basic principles for processing (including conditions for consent) and the rights of data subjects will attract maximum penalties of €20,000,000 or 4% of the organisation’s total worldwide annual turnover, if higher.
  • Employers are now required to notify the ICO of any data protection breaches within 72 hours of becoming aware of a breach resulting in unauthorised loss, amendment or disclosure of data - unless the breach is unlikely to result in a risk to the rights of employees.
  • If there is a high risk to the data protection rights of any affected employees, employers also have to communicate the breach promptly to the employees individually.
  • Failure to notify a breach when required to do so could result in a fine - in addition to any sanction for the breach itself.