Search

How can we help?

Icon

EU General Data Protection Regulation – The impact on employers

What’s it all about?

The existing law on data protection within the EU is based on a European directive introduced over 20 years ago. There is no uniform approach to data protection across the EU and significant advances in technology means the current law is out of touch with the modern world.

As part of its proposals for reform the European Commission suggested there be a common set of rules aimed at modernising and harmonising data protection law within the EU; the EU General Data Protection Regulation (the “Regulation”).

Regulations become part of the law of member states as soon as they come into force which assists with uniformity. However, the Regulation allows member states to make its own more specific rules in certain areas, including employment. So, whilst everyone will start on the same page, we may still see a difference of approach across the EU in such areas.

When will employers be expected to comply with the Regulation?

The Regulation wording was adopted last month and will come into force on the 20th day after its publication in the Official Journal of the European Union. Employers will then be given a two year period within which time they must comply.

What are the key implications for employers?

The Regulation will bring about a number of changes affecting employers. Here’s a small taster…

Consent will be more difficult to obtain

It will be more difficult for employers to rely on ‘consent’ as a justification for data processing. For example, consent must be “freely given, specific, informed and unambiguous” and the Regulation makes clear that consent will not be “freely given” if an individual has no genuine choice and is unable to refuse/withdraw consent without detriment.

Clauses in employment contracts that purport to give consent are therefore unlikely to be effective as the employee has little ‘choice’ over their terms at the start of their employment. Employers who obtain consent this way will need to put alternative measures in place.

Direct obligations and liability for data processors

The Regulation changes the existing law to impose obligations and liability on third parties who process data on an employer’s behalf such as external payroll providers.

In 2012, an NHS Trust was fined a massive £325,000 when the company it had engaged to destroy hard drives failed to do so (and instead sold them on e-bay!) Were this to happen under the Regulation, the third party contractor could also face liability.

Parties should ensure that, going forward, their commercial contracts contain adequate clauses dealing with apportionment of liability and indemnities. Further, employers who process data on behalf of other organisations may find themselves liable as ‘data processors’ and will want to ensure that their duties are clearly defined in any contractual agreement.

Data Access Requests

The Regulation makes a number of changes relating to data access requests. The two most significant for employers are changes to the timeframe for compliance and an ability to refuse to comply with ‘manifestly unfounded or excessive’ requests.

The Regulation removes the 40 day compliance timeframe. Instead, employers are required to comply ‘without undue delay’ and within one month but have an option to extend this by a further two months “taking into account the complexity of the request and number of requests”. Requests to employers are typically complex and so are likely to attract the three month timeframe. This will be welcomed by employers who have long argued that the current timeframe is unrealistic in modern technology-dependant workplaces.

There is no uniform approach to data protection across the EU and significant advances in technology means the current law is out of touch with the modern world.

Employers will no longer be able to charge £10 to deal with a request, however, they may refuse to comply altogether (or charge a reasonable fee based on admin costs) where the request is manifestly unfounded or excessive. This will surely see an end to employers spending days wading through thousands of emails! However, the Information Commissioner’s Office (ICO), which regulates data protection in the UK, has always emphasised the importance of an individual’s right of access and, as such, it seems likely that it will expect employers to discuss such requests with individuals in an attempt to narrow these down as opposed to refusing to comply entirely.

Increased penalty for non-compliance

The Regulation will increase the maximum monetary penalty which can be awarded for non-compliance to EUR20 million or 4% of the organisations’ annual worldwide turnover (whichever is higher).

Whilst the risk of a significant penalty may well move the issue of data protection further up an employer’s list of priorities, in practice, it is unlikely to lead to higher penalties being imposed in the UK. The ICO has a reputation for adopting a pragmatic approach. Despite having the ability to award up to £500,000 since 2010, the largest penalty it has issued was for £350,000 against Prodial Ltd earlier this year in relation to 46 million nuisance calls.

However, under the Regulation the member state where the company’s main establishment is based will take the lead on enforcement regardless of where the breach takes place.

Right to be forgotten

Individuals will have increased rights under the Regulation which will include the right to request that their personal data be erased (referred to as the ‘right to be forgotten’). This topic has received a lot of attention recently – see our blog in August on the right to be forgotten being enforced against Google.

In conclusion…

In light of the two year transition period (and the impending EU referendum) employers may not be in a rush to comply with the Regulation, however, there are many changes being proposed which will affect employers and it would be prudent for those who process large amounts of personal data to familiarise themselves with the Regulation sooner rather than later. At the very least all businesses, which have not already done so, should now take steps to identify the type of personal data they currently process and the legal basis on which they rely to process this. This will be a good starting point for risk assessments further down the line…

Disclaimer

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile

About this article

Read, listen and watch our latest insights

art
  • 15 September 2025
  • Immigration

Sharp rise in Sponsor Licence Revocations – What employers need to know

The Home Office has reported a record number of sponsor licence revocations over the past year, as part of its intensified efforts to crack down on abuse of the UK’s immigration system.

art
  • 10 September 2025
  • Commercial Real Estate

Trouble at the Table: The Challenges Facing the UK Hospitality Sector in the run up to Christmas 2025

The UK hospitality sector, long celebrated for its vibrancy and resilience, is facing a perfect storm of economic, operational, and structural challenges in 2025.

art
  • 09 September 2025
  • Commercial Real Estate

Le bail commercial anglais: quelques points essentiels à considérer

Typiquement, les baux commerciaux en Angleterre sont de court terme, d’une durée de 5 ou 10 ans, avec un loyer de marché et des ajustements du loyer périodiques en fonction de l’inflation ou d’autres facteurs. 

art
  • 09 September 2025
  • Corporate and M&A

The Failure to Prevent Fraud Offence – be prepared to avoid criminal liability

The failure to prevent fraud offence is a new corporate offence which has come into force on 1 September 2025.

art
  • 08 September 2025
  • Employment

Can employers still make changes to contracts after the Employment Rights Bill?

The short answer is yes but it will be much more difficult for employers following the introduction of the Employment Rights Bill because their ability to fairly dismiss employees who do not agree contractual changes is being restricted. 

art
  • 05 September 2025
  • Privacy and Data Protection

When Ignoring a DSAR Becomes a Criminal Offence

On 3 September 2025, Mr Jason Blake appeared at Beverley Magistrates Court and was fined for failing to respond to a data subject access request (DSAR).