Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Employment lawData protection

General Data Protection Regulation (GDPR): an employer’s guide

by Sarah Thompson 7 Dec 2016
by Sarah Thompson 7 Dec 2016

Despite Brexit, the UK will implement the General Data Protection Regulation (GDPR) when it comes into force on 25 May 2018. Sarah Thompson discusses significant changes employers need to be aware of – including a new penalty regime – and next steps for HR.

The GDPR harmonises data protection laws across the EU and updates the current 20-year-old regime to take account of globalisation and the ever-changing technology landscape.

More GDPR guidance

Podcast: Introduction to the General Data Protection Regulation

It will apply not only to EU companies, but to any company processing the personal data of individuals in the EU in relation to offering goods or services, or to monitoring their behaviour.

Significant penalties can be imposed on employers that breach the GDPR, including fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater.

The level of fine will depend on the type of breach and any mitigating factors, but they are undoubtedly meant to penalise any employer’s disregard for the GDPR.

Employers should prepare for the following changes to avoid being subject to the new enforcement penalties.

More detailed privacy notices

Under the current law, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:

  • how long data will be stored for;
  • if data will be transferred to other countries;
  • information on the right to make a subject access request; and
  • information on the right to have personal data deleted or rectified in certain instances.

Restrictions to consent

Currently, many employers justify processing personal data on the basis of employee consent. This approach has been increasingly criticised because there is doubt as to whether or not consent is given freely in the subordinate employer-employee relationship.

There are more prescriptive requirements for obtaining consent under the GDPR and employees must be able to withdraw their consent at any time. This will make it harder for employers to rely on consent to justify processing. Instead, employers will generally need to rely on one of the other legal grounds to process personal data.

New breach notification requirement

The GDPR imposes a new mandatory breach reporting requirement. Where there has been a data breach (such as an accidental or unlawful loss, or disclosure of personal data), the employer will have to notify and provide certain information to the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified.

GDPR FAQs

What is the General Data Protection Regulation?

Will there be changes to the rules on obtaining consent to process personal data?

What effect will Brexit have on the application of the General Data Protection Regulation to the UK?

Data protection officers

All public authorities and those private companies involved in regular monitoring or large-scale processing of sensitive data will need to appoint a data protection officer to:

  • advise on GDPR obligations;
  • monitor compliance; and
  • liaise with the data protection authority.

How to prepare now

Co-operation and understanding of the new GDPR obligations across the business is critical and organisations will need HR, legal, IT and compliance teams to take a combined approach.

The most important steps for HR to take now include:

  • Carry out a data audit. Carefully assess current HR data and related processing activities and identify any gaps with the GDPR.
  • Review current privacy notices and update them to comply with the more detailed information requirements. All information provided must be easy for employees and job applicants to understand.
  • Assess the legal grounds for processing personal data. Where consent is currently relied on, check whether or not it meets GDPR requirements and remember that consent may be revoked at any time. Employers will generally need to rely on one of the other legal grounds to continue to process employee personal data.
  • Develop a data breach response programme to ensure prompt notification. Allocate responsibility to certain people to investigate and contain a breach, and make a report. Train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
  • Determine whether or not a data protection officer must be appointed and, if so, think about how best to recruit, train and resource one.
Avatar
Sarah Thompson

Sarah Thompson is an associate in the employment practice of international firm McGuireWoods

previous post
Failure to report gender pay gap could result in more than reputational damage
next post
Expedia retains top spot as best place to work in Glassdoor’s Employee Choice Awards

2 comments

Avatar
DR S B Effiom. 21 Feb 2018 - 3:00 pm

This is an excellent piece of work.

Reply
Avatar
Elizabeth Callaghan 3 May 2018 - 10:43 am

This is the most helpful article yet (and I’ve trawled through a few!)

Where does one stand with Next of Kin data? Do we have to obtain consent? Or, do we hold it due to either a ‘legitimate’ or a ‘vital’ interest?

Reply

Leave a Comment Cancel Reply

Save my name, email, and website in this browser for the next time I comment.

You may also like

MP demands timeline on carer’s leave legislation

13 May 2022

Queen’s Speech: absence of employment bill leaves organisations...

10 May 2022

Queen’s Speech: Exclusivity contracts for low-paid workers to...

9 May 2022

MP seeks legal protections for employees undergoing fertility...

9 May 2022

PwC staff to benefit from extended summer hours...

5 May 2022

A dark day for workers’ rights – why...

29 Apr 2022

P&O Ferries told to return £11m furlough money...

28 Apr 2022

Modern slavery: 10% of companies fail to publish...

26 Apr 2022

EHRC’s legal fund for tackling race discrimination: what...

21 Apr 2022

Bank holidays: six things employers need to know

20 Apr 2022
  • What it really means to be mentally fit PROMOTED | What is mental fitness...Read more
  • How music can help to ease anxiety at work PROMOTED | A lot has happened since March 2020, hasn’t it?...Read more
  • Why now is the time to plug the unhealthy gap PROMOTED | We’ve all heard the term ‘health is wealth’...Read more

Personnel Today Jobs
 

Search Jobs

TOPICS

Economics, government & business
Employee Relations
Employment law
Equality & diversity
Global HR
HR practice
HR strategy
Learning & training
Occupational health
Pay & benefits
Recruitment & retention
HR Tech
Wellbeing
All HR topics

WHAT’S HOT

Apprenticeship levy
Brexit
Covid-19 coronavirus
Gender pay gap reporting
Gig economy
Holiday pay
HR tech
IR35
Immigration
People analytics
Zero-hours contracts

JOBS

Post a job
Why advertise with us?
Change Management
Compensation & Benefits
Diversity & Inclusion
Employee Relations
Employment Law
Health & Safety
HR (General)
HR Business Partner
HR Director
HR Consultant
HR Shared Services
HR Systems
People Analytics
Learning & Development
Training
Occupational Health
Organisational Development
Payroll
Performance & Engagement
Recruitment & Resourcing
Talent Management
Wellbeing
Workforce Planning

ABOUT

About Personnel Today
Contact us
Advertising opportunities
Features list 2022
RSS feeds
Advertising specifications
Email Newsletters
Cookies policy
Privacy policy
Terms and conditions

The Personnel Today Awards
The RAD Awards

Employee Benefits
Employee Benefits Awards
Employee Benefits Live

Forum for Expatriate Management

OHW+
OHW+ membership

Whatmedia

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2022 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+