GDPR for Employers – General Introduction

Background – GDPR

Learn more              Contact Us

GDPR personal data processing

Why GDPR? The 1998 Data Protection Act “DPA” is out of date. The DPA was based on the EU 1995 Data Protection Directive so is now over 20 years old. The General Data Protection Regulations “GDPR” are replacing the old act from 25 May 2018.

It is not surprising that we are getting new legislation the world has changed enormously in that 20 years. It has been said that the 1995 directive were originally designed out of fear for what “authority” could do with your data. The new regulations may relate to fear about what everyone else can do with it. The GDPR are designed to give individuals rights in relation to most of the data about them that is washing around on the internet. The data that is kept by thousands of data controller and processors, including employers. In addition we will have a new Data Protection Act 2018. This adds to the rules in the UK and covers processing some data which the GDPR don’t cover.

It reaches the parts other Data Protection Rules didn’t reach

To that end GDPR is designed to reach all parts of your business. You must ensure you take into account the GDPR’s principles in all the processes, activities and workings of your business. Think about it as you design, develop and us, everything don’t just tack it on as a final thought. So it’s about looking at what you are already doing and anything new you are considering. With employees those new things might, for example, include a new accounts or payroll system.  But it could also include say a marketing campaign if you use brochures with staff photos or use their names. Then even when you have taken these things into account you must be able to prove it.


While GDPR covers every area of business but this short note focuses on the employee/employer relationship. There are a lot of ways to tackle your GDPR compliance but you need a general understanding to begin with. Visiting the 12 Steps to take now on the Information Commissioners Office web site is almost essential reading. Then deciding where to start sorting your compliance may depend on your type of business and what you already do to comply with the DPA. The ICO also has lots of additional information for organisations. For example there is their Guide to GDPR including specific information about documents.

Look at the ICO website

When it comes to employees the ICO provides guidance to DPA compliance and is likely to update this for GDPR. You can read the guidance on the old rules on the ICO web site. Here is the Employment Practices Code the Quick Guide for Small Business and the Supplementary Guide to the Code. But remember the rules are changing. Therefore just complying with these guides will not ensure you meet GDPR. Not everything will be seen the same way under new legislation and it requires many new things.


It is worth getting familiar with GDPR terms. Some are very similar to under the DPA but there are differences. Particularly look how they describe the parties, that is Data Controllers, Data Processors and, Data Subjects. Also look at how it defines information such as, Personal Data and Special Category Data.  The ICO web site has lots of information but here is

A quick summary;

  • A ‘data controller’ is the person or organisation that processes personal data and decides the purpose and means of that processing.
  • A “data processor” is the person or organisation that processes personal data but a different person or organisation a “Data Controller” decides the purpose and means of that processing. For example an employer might use a payroll company. The employer is the data controller and the payroll company is likely to be a data processor.
  • “Personal data” means information which relates to a living person (a ‘data subject’). They must be identifiable from that data on its own, or when used with other information which is likely to come into the processors possession. It includes any expression of opinion about the person and an indication of the intentions of the processor or others, in respect of that person. It doesn’t include anonymised data, i.e. where all identifying particulars have been removed.
  • Special Categories” of personal data, and “personal information on criminal convictions and offences”, are data which require a higher level of protection because it more sensitive. The special categories of personal information are information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.
  • Data Processing” means doing anything with personal data such as collecting it organising it, consulting it, amending it, transferring it, destroying it etc. It applies where the data is in a paper filing system or any electronic system.

Employers and Employees

In this note to simplify matters I refer to the Data Controller as the “Employer.”  Staff in their capacity as Data Subjects are referred to as “Employees”. Remember for these purposes Employees will cover workers, consultants, job applicants, apprentices, temps, work experience people etc.

Where to start

You can start your GDPR journey by identifying what Personal Data you already have about Employees. Then think about what you will get in future. As an Employer you need to have processes and provide information to Employees. In many cases you must also keep records to show you that you are complying.

You need to show you;

  • only collect Personal Data that you need for a specific purpose and not use it for other things;
  • have a basis for processing that is a lawful ground under GDPR e.g. identify a legitimate interest or legal requirement, plus additional grounds for special category personal data.
  • keep the data secure; not process it outside EEA and when done with it securely destroy it
  • have identified who can see it (internally and externally) and why
  • can show that what you have is
    • relevant,
    • accurate and up to date;
    • only held for as long as you need it – identifying how long that is;
  • allow the Employee whose data it is to see it on request and tell them what you do with it, how long you keep it and their rights to control that processing.
  • comply with the Employee’s other rights relating to correcting data, stopping processing it, erasing it and transferring it.
  • have told the data subject about all these things and in a way they can understand (e.g. a data protection policy and privacy notices)
  • have procedures to deal with breaches enforcement and registration.

Privacy Notice

Most of this information you need to supply to employees in a Privacy Notice. It must be concise, transparent, intelligible and easily accessible plus written in clear and plain language. This is not easy bearing in mind the amount of information to be given. Although not up to date the ICO provides this guide to Privacy Notices. You will need other privacy notices for other situations (e.g. for customers)

Data Protection Policy

You also need to tell Employees about the duties and responsibilities they have in relation to other people’s personal data. This may be other employees or customers, suppliers etc. Similarly you need to remind Employees about the limits to the data they can process and access. It’s not just a matter of them not getting into files they shouldn’t. It includes things like not giving out telephone numbers or commenting on social media. A Data Protection Policy will cover these issues.  That policy will overlap quite a lot with the Privacy Notice. For example the background in both documents will explain terms and grounds for processing etc.

We can talk to you about these points one at a time (although there may be some overlap). This can help you identify whether you need further help. Yes, going through all the different situations is time consuming. However when you have set up the process it should be easier to add new situations as they arise.


What are the risks if you don’t comply with GDPR and why would you want to spend time on it? There is a big stick. Fines, of up to the greater of £20,000.000 or 4% of your annual global turnover, are a big stick. Advertising emails from GDPR advisors are regularly reminding people about this. But the ICO’s job is not to set out to fine data controllers and processors. They want to get them to do the job properly. If you try to do the job properly and don’t set out to breach the rules, the less likely you are to run into trouble.


Is there any benefit from complying? The more you organise the better your business will run and that applies to GDPR. Compliance may be a selling point in getting the best Employees and engendering Employee loyalty. This has a knock on effect on the rest of your business. Employees are also more likely to take care of others data if you take care of theirs.  Showing you look after data is important when proving to your customers that your company is worth doing business with. Failing to comply with GDPR can have other downsides. In a dispute with an employee if they show you don’t take their GDPR rights seriously this may raise questions about your attitude to other employee rights.

Elizabeth Denman, the IC, comments in her talk on 2 February 2018 about the value of GDPR. She believes that if businesses embeds GDPR in their policies and processes and treat it seriously this will generate trust and confidence in those they deal with. Lack of confidence in businesses is an increasingly important problem.

Remember you want your data to be safe

As an Employer remember you are also an individual (owner, partner, director or shareholder). Do you really want more data than is necessary about you in the hands of third parties? The more that’s out there the greater the risks to your privacy, to say nothing of the security of you money, car, home and family. You want others to treat your personal data with respect and care. That applies to the personal data about you in your business. It also applies to your personal data held by organisations you do business with. Therefore reducing the amount of data that you process and giving individuals lots of rights about that processing are key issues in our data obsessed society.

You must comply with GDPR obligations by 25 May 2018 so it is important to look at what you need to do.

To learn more contact us

Kirsten Moon – Employment Client Partner

01233 714055

This note provides a brief look GDPR for employers but is not an exhaustive guide on the subject. You should take further advice before taking or reframing from taking any steps. © Moon & Co Solicitors.

Employers    |    Employees    |    Guides    |    Updates    |    Contact Us