This is our guide to the General Data Protection Regulation (GDPR) for employers 

This information is provided by Spencer Shaw Solicitors Limited to assist employers to implement an effective Data Protection Policy for Employees, Workers and Consultants 
(Please note: This information constitutes training and not legal advice) 
The General Data Protection Regulation (GDPR) came into force on the 25th May 2018. It replaced the Data Protection Act 1998, which was struggling to keep up with the pace of technology. The GDPR provides a common set of rules that can keep in step with the modern world. It provides better protection to individuals (referred to as data subjects in the regulation). 
To be compliant with GDPR, you will need to act. While the regulation itself is complex, the actions you take are relatively straightforward with a bit of research. There are plenty of tools and guides available from the UK Government's Information Commissioner's Office (ICO) and specialist GDPR trainers and consultants. This document will give you an overview of the GDPR and what needs to be done in respect of employee, worker and consultant personal data gathered by your business. 

GDPR – What are the key principles? 

Firstly, GDPR will survive Brexit. The UK government aims to implement the regulation in its entirety. It became part of our legal system on 25th May 2018. The key principles of GDPR are:- 
personal data must be processed lawfully, fairly and transparently; 
personal data must be collected for specified legitimate purposes and processed only for those purposes; 
personal data must be limited to what is needed for the purpose for which it is processed; 
personal data must be accurate and up to date; 
personal data must not be kept for longer than is necessary for its purpose; 
it should be processed securely and confidentially to ensure it is not lost, stolen/hacked, damaged or destroyed. 
Personal data is defined as information or data relating to a living person who can be identified from that data. Examples of employee personal data are names, addresses, contact details, employment details, financial information, disciplinary warnings, appraisals or health records. It even includes opinions about a person's performance in an email by a manager. 

Six lawful bases to process data 

There are six potential lawful bases for processing the personal data of your employees. You must be able to demonstrate at least one of these is applicable to the personal data you process or control. These are:- 
with the consent of the data subject e.g. your employee. 
the personal data is necessary for the performance of a contract with them e.g. an employment contract. 
you require the personal data to enable you to comply with a legal obligation e.g. provide information to HMRC. 
the personal data is necessary to protect the vital interests of your employee or someone else. This is thought to apply if the person's life or health were at risk e.g. being aware of health issues. 
it is necessary in the public interest. 
it is necessary for the purposes of a legitimate interest of you, as an employer or a third party. The interests and fundamental rights and freedoms of your employee can override this basis. 

A few words on consent 

GDPR says that consent must be:- 
freely given; 
informed; and 
It should be distinguishable. This means that it should be separate from other things such as employment contracts and policies. You will see later on that it can also be withdrawn. So, for most personal data, you may wish to consider the other five bases for processing personal data rather than relying on consent. 
As part of your preparation for GDPR, you will need to audit the information you hold on your employees and specify which of these bases apply to the data and why. 

'Special category' data (formerly sensitive personal data) 

You are only permitted to process special category data in specific situations in addition to the rules for processing personal data because it is more sensitive and needs more protection. Examples of special category data are:- 
ethnic origin; 
trade union membership; 
bio-metrics (where used for ID purposes); 
sex life; or 
sexual orientation. 
You will only be able to process special category data if:- 
your employee gives their explicit consent; 
needed to carry out rights and obligations under employment law, e.g. to ensure the health and safety of workers or for complying with discrimination laws; 
the employee has already made the data public, e.g. on social media 
to establish, exercise or defend a legal claim; 
to protect the vital interests of the employee or someone else, where the employee is incapable of giving consent. This lawful basis is very limited in its scope, and generally only applies to matters of life and death; 
for the assessment of a person's working capacity. 

Information to be given to your employees 

The information you need to give is a lot more than you may do at the moment. It should be concise, transparent, easily accessible and in plain language. Our suggestion is that you provide most of the information in a data protection policy in your employee handbook. 
You must tell your employee:- 
the identity of the data controller (employer) and any data protection officer; 
the purpose of the processing and the legal basis for it; 
the source and category of the data if it hasn’t come from the data subject; 
who will receive the data (department or roll); 
how long you intend to keep the data, e.g. for three years after their employment ends; 
their rights under the regulation (see the section on rights below); 
if the data is to be transferred out of the EU, the legal basis for it and safeguards in place; and 
whether you use any automated decision making or profiling. 
You must provide this information at the time you gather the personal data from them or within a reasonable time if it is obtained from another source.  
The ICO suggest within one month of processing.  
You will need to keep a record of this.  
We suggest getting your employees to sign that they have received a copy of your policy (assuming you have one!). 

The rights of your employees 

Your employees have the right to:- 
the information in the section above; 
access their personal data; 
correct personal data; 
erase personal data (the right to be forgotten); 
restrict processing of data; 
object to data processing; 
receive a copy of their personal data; 
transfer personal data to another data controller; and 
not to be subject to automated decision making. 
If your employee requests a copy of their personal data you must comply without undue delay and no later than one month from the initial request. There is an extension possible in certain circumstances, of up to two months for complex or onerous requests. You are no longer able to apply a £10 fee, though reasonable charges can be made for a manifestly unfounded or excessive request. 
If you refuse to comply with a request, you must notify your employee of their right to complain to the ICO. You don’t need to provide legally privileged information. If you are unable to prove a legitimate interest for retaining the data, you must make sure that you can easily erase the data. Your employee can restrict processing, for example, where the employee contests data accuracy. 

Risks to note 

GDPR has some teeth and you should be mindful of the following:- 
Imposes significant fines for breaches – up to £17M (20 million Euros) or 4% annual global turnover. 
Carries criminal sanctions for breaches. 
Allows individuals to make claims for compensation for breaches, including financial loss and for distress caused, against Data Processors and Data Controllers. 
Must notify the ICO of a breach within 72 hours of becoming aware of it, even if you do not have all the details yet. 

10 Steps to be GDPR compliant with employee personal data 

If this is your first venture into the world of GDPR you may be feeling a little overwhelmed about the work involved to be compliant. You may also be wondering where to start. The following steps will help you with compliance for your organisation’s employee personal data which is a big step forward. Much of the knowledge you gain in this arena can be applied across your organisation. If you’ve already looked at GDPR or attended one of our workshops, this section will help remind you of what needs to happen. 

Step 1 - Get buy-in from top management and raise awareness 

Regardless of the size of your organisation, getting ready for GDPR is easier if everyone is helping. You may need to spend money on consultants, commit your own time to this task or both. Having a plan will certainly be a good start. 

Step 2 - Find your data 

Doing an audit of the data you hold on your employees is going to make your task a lot easier. Think beyond electronic data and dig out all those paper records sitting in the back of the filing cabinets or stored in deep storage off-site. Consider what's on emails that have been left on your system. 

Step 3 - Analyse why you keep each type of personal data 

Once you have found your data you can start to think about why you need to have it. Does the data actually have a use or do you gather it just because you always have? Do you have a system of auditing the data regularly to see if you still need to keep it? 

Step 4 – Decide which lawful bases you are going to rely on to retain and use the personal data 

Consent is likely to be the least used reason. Think of the other five reasons of lawful bases to process personal data and apply the ones that you believe are the right fit. Also give thought to the key principles of GDPR at the start of this article. You need to be able to justify why you have the data and show that you keep it secure. 

Step 5 – Review and update your contracts of employment and policies 

If you have attended our GDPR workshop for employers you will have a handbook policy which covers many of the requirements of GDPR, such as providing your employees with their rights, informing them why you process personal data about them and their responsibilities to keep personal data safe and confidential. 
If you don’t have a suitable policy, please get in touch with us. We can take the pain out of this process for you. 

Step 6 – Check and revise your internal processes 

GDPR creates new responsibilities which you will need to have processes for. Using the checklists on the ICO website will identify a number of these. Examples would be having processes to enable employees to apply their new rights or reporting data breaches to the ICO within the 72 hours’ time limit. 

Step 7 - Check and revise your external processes 

You may currently share personal data with other organisations such as your payroll provider. You should ensure that any contract with these organisations requires them to comply with the obligations of GDPR and how they must deal with any breaches. 

Step 8 – Identify who will be responsible for data protection compliance in your organisation 

Depending on the size of your organisation and the type of processing you undertake, you may wish to appoint a Data Protection Officer if you don’t have one already. Alternatively, you could allocate responsibility to a Data Protection Manager who takes the lead in your business data matters. 
Whatever you do, make sure someone has the lead. 

Step 9 – Training 

Provide training for everyone taking the lead in GDPR for your business and give them the resources to do the task well. Also provide training to the rest of the organisation because data security probably rests in their hands. Most data mishaps seem to occur due to human error. 

Step 10 – Stay compliant 

After all your hard work making sure that you are compliant, you don’t want to slip back into old ways. Set reminders to audit data collected and review whether it is still required. Provide ongoing training to ensure the message sticks. 

And finally 

We have focused on employee personal data because we are employment law specialists, but the principles apply to all types of personal data such as mailing lists, emails to prospects and customer data bases. We can help with all aspects of GDPR if you need to apply the regulations across your business.  

Get in touch 

Do you have a legal matter you'd like to discuss with us? Get in touch using the details below or use the form here and a member of our team will be in touch to discuss your enquiry. 
Phone: 0121 452 5130 
Address: Spencer Shaw Solicitors Limited 
Vancouver House, 111 Hagley Road, Edgbaston, Birmingham B16 8LB 
Opening hours: 
Monday - Friday 9:00AM - 5:00PM 
Saturday, Sunday & Bank Holidays - Closed 
Connect on social media 
We take your privacy seriously and will only use the information you provide on this contact form to deal with your enquiry. Please see our Client Privacy Policy for more detail. 
Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings