This is our guide to the General Data Protection Regulation (GDPR) for employers 

 
This information is provided by Spencer Shaw Solicitors Limited to assist employers to implement an effective Data Protection Policy for Employees, Workers and Consultants. This information constitutes training and not legal advice 
The General Data Protection Regulation (GDPR) came into force on the 25th May 2018. It replaced the Data Protection Act 1998, which was struggling to keep up with the pace of technology. GDPR will survive Brexit. The UK government aims to implement the regulation in its entirety. 
 
GDPR provides a common set of rules that can keep in step with the modern world. It provides better protection to individuals (referred to as data subjects in the regulation). While many people think of GDPR in terms of customers and clients, it also applies to information you hold about your employers, workers and consultants.  
 
As an employer, you will need to act to be compliant with GDPR. While the regulation itself is complex, the actions you take are relatively straightforward with a bit of research or with expert legal guidance. There are plenty of tools and guides available from the UK Government's Information Commissioner's Office (ICO) and specialist GDPR trainers and consultants. This document will give you an overview of GDPR and what needs to be done in respect of employee, worker and consultant personal data gathered by your business. 
Subscribe to our newsletter for more helpful guides, resources and updates: 

The key principles of GDPR 

Personal data must be processed lawfully, fairly and transparently 
Personal data must be collected for specified legitimate purposes and processed only for those purposes 
Personal data must be limited to what is needed for the purpose for which it is processed 
Personal data must be accurate and up to date 
Personal data must not be kept for longer than is necessary for its purpose 
It should be processed securely and confidentially to ensure it is not lost, stolen/hacked, damaged or destroyed 
 
Personal data is defined as information or data relating to a living person who can be identified from that data. Examples of employee personal data are names, addresses, contact details, employment details, financial information, disciplinary warnings, appraisals or health records. It even includes opinions about a person's performance in an email by a manager. 

Six lawful bases to process data 

There are six potential lawful bases for processing the personal data of your employees. These are:- 
you have the consent of your employee (or the subject of the data) 
the personal data is necessary for the performance of a contract with them e.g. an employment contract 
you require the personal data to enable you to comply with a legal obligation e.g. provide information to HMRC 
the personal data is necessary to protect the vital interests of your employee or someone else. This is thought to apply if the person's life or health were at risk e.g. being aware of health issues 
it is necessary in the public interest 
it is necessary for the purposes of a legitimate interest of you, as an employer or a third party. The interests and fundamental rights and freedoms of your employee can override this basis 
As part of your preparation for GDPR, you will need to audit the information you hold on your employees and specify which of these bases apply to the data and why. You must be able to demonstrate at least one of these is applicable to the personal data you process or control. 

Consent 

GDPR says that consent must be:- 
 
freely given 
specific 
informed 
unambiguous 
 
It should be distinguishable. This means that it should be separate from other things such as employment contracts and policies. It can also be withdrawn. So, for most personal data, you may wish to consider the other five bases for processing personal data rather than relying on consent. 

'Special category' data 

Special category data (formerly known as sensitive personal data) is information that is particularly sensitive and so requires more protection. The above requirements apply to special category data, in addition to specific rules for processing this data. 
Examples of special category data are: 
 
race 
ethnic origin 
politics 
religion 
trade union membership 
genetics 
bio-metrics (where used for ID purposes) 
health 
sex life 
sexual orientation 
You will only be able to process special category data if: 
 
your employee gives their explicit consent 
it is needed to carry out rights and obligations under employment law, for example to ensure the health and safety of workers or for complying with discrimination laws 
the employee has already made the data public 
to establish, exercise or defend a legal claim 
to protect the vital interests of the employee or someone else, where the employee is incapable of giving consent. This lawful basis is very limited in its scope, and generally only applies to matters of life and death 
for the assessment of a person's working capacity 

Information to be given to your employees 

You are required to provide specified information to your employees, or the person the data relates to. This information should be concise, transparent, easily accessible and in plain language. We suggest that you provide most of the information in a data protection policy in your employee handbook. 
You must provide this information at the time you gather the personal data from them or within a reasonable time if it is obtained from another source - the ICO suggest within one month of processing. You will need to keep a record of this.  
 
We suggest getting your employees to sign that they have received a copy of your policy (assuming you have one). 
 
If you need a GDPR policy for your employee handbook, get in touch
You must tell your employees: 
 
the identity of the data controller (employer) and any data protection officer 
the purpose and the legal basis of processing 
the source and category of the data if it hasn’t come from the employee 
who will receive the data (department or roll) 
how long you intend to keep the data, e.g. for three years after their employment ends 
their rights under the regulation (see the section on rights below) 
if the data is to be transferred out of the EU, the legal basis for it and safeguards in place 
whether you use any automated decision making or profiling 

The rights of your employees 

Your employees have the right to: 
the information in the section above 
access their personal data 
correct personal data 
erase personal data (the right to be forgotten) 
restrict processing of data 
object to data processing 
receive a copy of their personal data 
transfer personal data to another data controller 
not to be subject to automated decision making 
If your employee requests a copy of their personal data you must comply without undue delay and no later than one month from the initial request. There is an extension possible in certain circumstances, of up to two months for complex or onerous requests. You are no longer able to apply a £10 fee, though reasonable charges can be made for a manifestly unfounded or excessive request. 
 
If you refuse to comply with a request, you must notify your employee of their right to complain to the ICO. You don’t need to provide legally privileged information. If you are unable to prove a legitimate interest for retaining the data, you must make sure that you can easily erase the data. Your employee can restrict processing, for example, where the employee contests data accuracy. 
 

Breaches of GDPR 

GDPR has the potential for serious penalties for breaches: 
Imposes significant fines – up to £17M (20 million Euros) or 4% annual global turnover 
Carries criminal sanctions 
Allows individuals to make claims for compensation, including financial loss and for distress caused, against Data Processors and Data Controllers 
Requires you to notify the ICO of a breach within 72 hours of becoming aware of it, even if you do not have all the details yet 

10 Steps to be GDPR compliant with employee personal data 

Given the seriousness of the penalties for breaching GDPR, it is important that your business is fully GDPR compliant. However, this can be a daunting task, and you may be wondering where to start. The following steps will help you with compliance for your organisation’s employee personal data which is a big step forward. Much of the knowledge you gain in this arena can be applied across your organisation.  
 
If you need support through this process, we can help to ensure you understand and follow the law, and provide GDPR compliant policies and contracts. Get in touch for advice.  
 

Step 1 - Get buy-in from top management and raise awareness 

Regardless of the size of your organisation, getting ready for GDPR is easier if everyone is helping. You may need to spend money on consultants, commit your own time to this task or both. Having a plan will certainly be a good start. 
 

Step 3 - Analyse why you keep each type of personal data 

Once you have found your data you can start to think about why you need to have it. Does the data actually have a use or do you gather it just because you always have? Do you have a system of auditing the data regularly to see if you still need to keep it? 
 

Step 5 – Review and update your contracts of employment and policies 

Our handbook policy covers many of the requirements of GDPR, such as providing your employees with their rights, informing them why you process personal data about them and their responsibilities to keep personal data safe and confidential. 
 
If you don’t have a suitable policy, please get in touch with us. We can take the pain out of this process for you. 

Step 7 - Check and revise your external processes 

You may currently share personal data with other organisations such as your payroll provider. You should ensure that any contract with these organisations requires them to comply with the obligations of GDPR and specifies how they must deal with any breaches. 
 
 

Step 9 – Training 

Provide training for peoplee taking the lead in GDPR for your business, and give them the resources to do the task well. Also provide training to the rest of the organisation because data security probably rests in their hands. Most data mishaps seem to occur due to human error. 

Step 2 - Find your data 

Doing an audit of the data you hold on your employees is going to make your task a lot easier. Think beyond electronic data and dig out all those paper records sitting in the back of the filing cabinets or stored in deep storage off-site. Consider what's on emails that have been left on your system. 

Step 4 – Decide which lawful bases you are going to rely on to retain and use the personal data 

Consent is likely to be the least used reason. Think of the other five reasons of lawful bases to process personal data and apply the ones that you believe are the right fit. Also give thought to the key principles of GDPR (above). You need to be able to justify why you have the data and show that you keep it secure. 

Step 6 – Check and revise your internal processes 

GDPR creates new responsibilities which you will need to have processes for. Using the checklists on the ICO website will identify a number of these. Examples would be having processes to enable employees to apply their new rights or reporting data breaches to the ICO within the 72 hours’ time limit. 
 
 
 

Step 8 – Identify who will be responsible for data protection compliance in your organisation 

Depending on the size of your organisation and the type of processing you undertake, you may wish to appoint a Data Protection Officer if you don’t have one already. Alternatively, you could allocate responsibility to a Data Protection Manager who takes the lead in your business data matters. Whatever you do, make sure someone has the lead. 

Step 10 – Stay compliant 

After all your hard work making sure that you are compliant, you don’t want to slip back into old ways. Set reminders to audit data collected and review whether it is still required. Provide ongoing training to ensure the message sticks. 
 

And finally 

We have focused on employee personal data because we are employment law specialists, but the principles apply to all types of personal data such as mailing lists, emails to prospects and customer data bases. We can help with all aspects of GDPR if you need to apply the regulations across your business, including providing a GDPR policy for your staff handbook and GDPR compliant employment contracts
 

Get in touch 

Do you have a legal matter you'd like to discuss with us? Get in touch using the details below or use the form here and a member of our team will be in touch to discuss your enquiry. 
Phone: 0121 452 5130 
Address: Spencer Shaw Solicitors Limited 
Vancouver House, 111 Hagley Road, Edgbaston, Birmingham B16 8LB 
Opening hours: 
Monday - Friday 9:00AM - 5:00PM 
Saturday, Sunday & Bank Holidays - Closed 
Connect on social media 
We take your privacy seriously and will only use the information you provide on this contact form to deal with your enquiry. Please see our Client Privacy Policy for more detail. 
Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings