Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Employment lawData protection

General Data Protection Regulation (GDPR): an employer’s guide

by Sarah Thompson 7 Dec 2016
by Sarah Thompson 7 Dec 2016

Despite Brexit, the UK will implement the General Data Protection Regulation (GDPR) when it comes into force on 25 May 2018. Sarah Thompson discusses significant changes employers need to be aware of – including a new penalty regime – and next steps for HR.

The GDPR harmonises data protection laws across the EU and updates the current 20-year-old regime to take account of globalisation and the ever-changing technology landscape.

More GDPR guidance

Podcast: Introduction to the General Data Protection Regulation

It will apply not only to EU companies, but to any company processing the personal data of individuals in the EU in relation to offering goods or services, or to monitoring their behaviour.

Significant penalties can be imposed on employers that breach the GDPR, including fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater.

The level of fine will depend on the type of breach and any mitigating factors, but they are undoubtedly meant to penalise any employer’s disregard for the GDPR.

Employers should prepare for the following changes to avoid being subject to the new enforcement penalties.

More detailed privacy notices

Under the current law, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:

  • how long data will be stored for;
  • if data will be transferred to other countries;
  • information on the right to make a subject access request; and
  • information on the right to have personal data deleted or rectified in certain instances.

Restrictions to consent

Currently, many employers justify processing personal data on the basis of employee consent. This approach has been increasingly criticised because there is doubt as to whether or not consent is given freely in the subordinate employer-employee relationship.

There are more prescriptive requirements for obtaining consent under the GDPR and employees must be able to withdraw their consent at any time. This will make it harder for employers to rely on consent to justify processing. Instead, employers will generally need to rely on one of the other legal grounds to process personal data.

New breach notification requirement

The GDPR imposes a new mandatory breach reporting requirement. Where there has been a data breach (such as an accidental or unlawful loss, or disclosure of personal data), the employer will have to notify and provide certain information to the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified.

GDPR FAQs

What is the General Data Protection Regulation?

Will there be changes to the rules on obtaining consent to process personal data?

What effect will Brexit have on the application of the General Data Protection Regulation to the UK?

Data protection officers

All public authorities and those private companies involved in regular monitoring or large-scale processing of sensitive data will need to appoint a data protection officer to:

  • advise on GDPR obligations;
  • monitor compliance; and
  • liaise with the data protection authority.

How to prepare now

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

Co-operation and understanding of the new GDPR obligations across the business is critical and organisations will need HR, legal, IT and compliance teams to take a combined approach.

The most important steps for HR to take now include:

  • Carry out a data audit. Carefully assess current HR data and related processing activities and identify any gaps with the GDPR.
  • Review current privacy notices and update them to comply with the more detailed information requirements. All information provided must be easy for employees and job applicants to understand.
  • Assess the legal grounds for processing personal data. Where consent is currently relied on, check whether or not it meets GDPR requirements and remember that consent may be revoked at any time. Employers will generally need to rely on one of the other legal grounds to continue to process employee personal data.
  • Develop a data breach response programme to ensure prompt notification. Allocate responsibility to certain people to investigate and contain a breach, and make a report. Train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
  • Determine whether or not a data protection officer must be appointed and, if so, think about how best to recruit, train and resource one.
Sarah Thompson

Sarah Thompson is an associate in the employment practice of international firm McGuireWoods

previous post
Failure to report gender pay gap could result in more than reputational damage
next post
Expedia retains top spot as best place to work in Glassdoor’s Employee Choice Awards

2 comments

DR S B Effiom. 21 Feb 2018 - 3:00 pm

This is an excellent piece of work.

Elizabeth Callaghan 3 May 2018 - 10:43 am

This is the most helpful article yet (and I’ve trawled through a few!)

Where does one stand with Next of Kin data? Do we have to obtain consent? Or, do we hold it due to either a ‘legitimate’ or a ‘vital’ interest?

Comments are closed.

You may also like

Minister defends Employment Rights Bill at Acas conference

16 May 2025

CBI chair Soames accuses ministers of not listening...

16 May 2025

EHRC bows to pressure and extends gender consultation

15 May 2025

‘Polygamous working’ is a minefield for HR

14 May 2025

Contract cleaner loses EAT race discrimination appeal

14 May 2025

Construction workers win compensation claim against defunct employer

9 May 2025

Zero-hours workers’ rights to be extended from beyond...

8 May 2025

Employment tribunal backlog up 23% in a year

7 May 2025

Ministers urged to outlaw misuse of NDAs

7 May 2025

M&S pauses hiring as it deals with cyber...

2 May 2025

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+