Essential GDPR guide for employers

May 1, 2018

Categorised in: News

What is the GDPR?

The General Data Protection Regulation, GDPR, to come into effect on the 25th of May 2018, aims to give control over personal data back to citizens by giving them a new set of “digital rights”. The GDPR was developed to bring data protection regulations to the 21st century, taking into account the ever-changing technology landscape.

GDPR is an EU law and it covers all residents of the European Union as well as foreign companies processing the data of EU residents. It will replace the 1995 Data Protection Directive, but unlike a directive, it does not require national governments to pass enabling legislation, so it is directly binding and applicable.

The GDPR protects:

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

For employers, GDPR brings a number of changes to take into account when processing and handling employee data. We highlight the main changes employers must be aware of:

Privacy notice

Under the GDPR, when personal data is collected, employers will be required to provide employees and job applicants with a privacy notice setting out the following information:

  • The identity and contact details of the employer (the data controller);
  • Contact details for the data protection officer, if the company has one;
  • The recipients of the data;
  • How long data will be stored for;
  • If data will be transferred to other countries and the legal basis for that;
  • The purpose of the data processing;
  • Whether the employee is obliged to provide the data by statute, contract, or for another reason, and the possible consequences of failing to provide the data;
  • Whether the personal data will go through any automated processing and, if so, the logic and consequences of the processing for the employee;
  • Information on the right to make a subject access request; and
  • Information on the rights of the individual employee or applicant, including rights to access, rectify and request erasure of data.

All information should be provided in a concise and transparent manner, in plain language, and be easily accessible to the subject.


Because of the subordinate nature of an employer-employee relationship, the consent approach to data processing has been heavily criticised, therefore GDPR has made the concept of consent a lot stricter.

The new regulation defines consent must be:

  • Freely given:

GDPR states that consent is not valid if there is a “clear imbalance between the data subject (employee) and controller (employer)”, that means the consent will be invalid if it is clear that either is a threat of disciplinary action or other detriment for consent refusal.

  • Specific and informed:

Consent can only be classed as informed if the data subject knows at least the identity of the data controller and the purposes of the data processing. As for specification, this means that if the data will be processed for multiple purposes, consent should be granted to each of the purposes individually and an all inclusive consent for multiple purposes is not valid.

  • Unambiguous:

Unambiguous consent means consent should leave no doubt as to the data subject’s intention to deliver this consent. It doesn’t need to be expressed, it can be inferred from certain actions. However, making it expressed provides another level of safeguarding to the employer.

Where consent is given in a written declaration which covers other matters, the request for consent must be “clearly undistinguishable” from those matters and presented in an “intelligible and easily accessible form”.

GDPR also makes it clear that the employee also has the right to withdraw consent at any time and that companies must make as easy to withdraw consent as it is to give it. If the withdrawal right is not compliant to GDPR requirements, consent will not have been validly obtained.

Right to be forgotten

With GDPR, employees and prospects have the right to request their personal data to be erased if:

  • The data is no longer necessary for the purposes for which it has been collected
  • They withdraw consent and the employer has no other lag ground to processing the data
  • They object to processing and there is no legal ground that overrides their interests

When an employee requests that their data is deleted, employers are also obliged to inform any third parties that the individual has requested the removal of any links to, or copies of, their personal data.

However, if the employee data is required under EU or Member State Law or if it’s necessary to establish, pursue or defend legal claims, the employers is allowed to maintain it.

Right to data portability

Employees and prospects also have the right to receive their personal data in a structured, commonly-used and machine readable form and transmit that data to other controller without hindrance.

Demonstrating compliance

Under GDPR, employers must be able to prove they have complied to the data processing principles it establishes. This means companies will need to have put in place one or more data protection policies to demonstrate the data processing is carried out in accordance to GDPR. Employers should also show they have implemented the policy in question, maintaining records of processing activities, for example.

What if I don’t comply?

The penalties for not following the basic principles of data processing under the GDPR can go up to €20 million or 4% of your global annual turnover, whichever is greater. In case of a data breach, data controllers could face a penalty of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher, in case they fail to call the data protection authority and the people affected by the data breach within 72 hours.

And how about Brexit?

GDPR takes effect a little less than a year before the UK leaves the EU, therefore, UK companies must comply to the new regulation. After Brexit, in order to continue business with EU countries, companies must comply to the GDPR too.

With that in sight, a new Data Protection Bill mirroring the GDPR regulations has been put forward by the UK government in August 2017, therefore those compliant to the GDPR should be compliant with the new UK data protection law too.

How to prepare for GDPR – a checklist:

Preparing for GDPR will require a combined approach by HR, legal, IT and compliance teams. Here are a few important steps to take now:

  • Carry out a data audit, documenting the personal data the company holds, where it came from and who it is shared with
  • Ensure policies are written in clear plain English and comply with the more detailed information requirements
  • Review policies and practices to ensure they demonstrate the processing of employee’s data is compliant with GDPR
  • Develop a process for employees to withdraw their consent and ensure you are able to deal with subject data access requests within the GDPR stipulated timeframes
  • Put a plan in place for data protection breeches with well-rehearsed procedures to certify you can react quickly and notify regulators in 72 hours if needed
  • Determine if your organisation needs a data protection offices, and if so, start the process of recruiting, training and resourcing one