How can we help?


EU General Data Protection Regulation – The impact on employers

What’s it all about?

The existing law on data protection within the EU is based on a European directive introduced over 20 years ago. There is no uniform approach to data protection across the EU and significant advances in technology means the current law is out of touch with the modern world.

As part of its proposals for reform the European Commission suggested there be a common set of rules aimed at modernising and harmonising data protection law within the EU; the EU General Data Protection Regulation (the “Regulation”).

Regulations become part of the law of member states as soon as they come into force which assists with uniformity. However, the Regulation allows member states to make its own more specific rules in certain areas, including employment. So, whilst everyone will start on the same page, we may still see a difference of approach across the EU in such areas.

When will employers be expected to comply with the Regulation?

The Regulation wording was adopted last month and will come into force on the 20th day after its publication in the Official Journal of the European Union. Employers will then be given a two year period within which time they must comply.

What are the key implications for employers?

The Regulation will bring about a number of changes affecting employers. Here’s a small taster…

Consent will be more difficult to obtain

It will be more difficult for employers to rely on ‘consent’ as a justification for data processing. For example, consent must be “freely given, specific, informed and unambiguous” and the Regulation makes clear that consent will not be “freely given” if an individual has no genuine choice and is unable to refuse/withdraw consent without detriment.

Clauses in employment contracts that purport to give consent are therefore unlikely to be effective as the employee has little ‘choice’ over their terms at the start of their employment. Employers who obtain consent this way will need to put alternative measures in place.

Direct obligations and liability for data processors

The Regulation changes the existing law to impose obligations and liability on third parties who process data on an employer’s behalf such as external payroll providers.

In 2012, an NHS Trust was fined a massive £325,000 when the company it had engaged to destroy hard drives failed to do so (and instead sold them on e-bay!) Were this to happen under the Regulation, the third party contractor could also face liability.

Parties should ensure that, going forward, their commercial contracts contain adequate clauses dealing with apportionment of liability and indemnities. Further, employers who process data on behalf of other organisations may find themselves liable as ‘data processors’ and will want to ensure that their duties are clearly defined in any contractual agreement.

Data Access Requests

The Regulation makes a number of changes relating to data access requests. The two most significant for employers are changes to the timeframe for compliance and an ability to refuse to comply with ‘manifestly unfounded or excessive’ requests.

The Regulation removes the 40 day compliance timeframe. Instead, employers are required to comply ‘without undue delay’ and within one month but have an option to extend this by a further two months “taking into account the complexity of the request and number of requests”. Requests to employers are typically complex and so are likely to attract the three month timeframe. This will be welcomed by employers who have long argued that the current timeframe is unrealistic in modern technology-dependant workplaces.

There is no uniform approach to data protection across the EU and significant advances in technology means the current law is out of touch with the modern world.

Employers will no longer be able to charge £10 to deal with a request, however, they may refuse to comply altogether (or charge a reasonable fee based on admin costs) where the request is manifestly unfounded or excessive. This will surely see an end to employers spending days wading through thousands of emails! However, the Information Commissioner’s Office (ICO), which regulates data protection in the UK, has always emphasised the importance of an individual’s right of access and, as such, it seems likely that it will expect employers to discuss such requests with individuals in an attempt to narrow these down as opposed to refusing to comply entirely.

Increased penalty for non-compliance

The Regulation will increase the maximum monetary penalty which can be awarded for non-compliance to EUR20 million or 4% of the organisations’ annual worldwide turnover (whichever is higher).

Whilst the risk of a significant penalty may well move the issue of data protection further up an employer’s list of priorities, in practice, it is unlikely to lead to higher penalties being imposed in the UK. The ICO has a reputation for adopting a pragmatic approach. Despite having the ability to award up to £500,000 since 2010, the largest penalty it has issued was for £350,000 against Prodial Ltd earlier this year in relation to 46 million nuisance calls.

However, under the Regulation the member state where the company’s main establishment is based will take the lead on enforcement regardless of where the breach takes place.

Right to be forgotten

Individuals will have increased rights under the Regulation which will include the right to request that their personal data be erased (referred to as the ‘right to be forgotten’). This topic has received a lot of attention recently – see our blog in August on the right to be forgotten being enforced against Google.

In conclusion…

In light of the two year transition period (and the impending EU referendum) employers may not be in a rush to comply with the Regulation, however, there are many changes being proposed which will affect employers and it would be prudent for those who process large amounts of personal data to familiarise themselves with the Regulation sooner rather than later. At the very least all businesses, which have not already done so, should now take steps to identify the type of personal data they currently process and the legal basis on which they rely to process this. This will be a good starting point for risk assessments further down the line…

About this article


This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 12 June 2024
  • Privacy and Data Protection

UK data protection: Important basics

Sometimes, data protection can seem like unhelpful red tape. At other times, it is critical to cultivating a trustworthy reputation.

  • 11 June 2024
  • Immigration

UK Immigration Roundup – May to June 2024

As the UK approaches the upcoming general election, immigration remains a focal issue in political discussions. The Conservative party’s recent proposal to cap visas for skilled migrant workers has alarmed various industries who are concerned that a limit to migration could harm vital sectors of the UK economy.

  • 06 June 2024
  • Employment

Talking Employment Law: What does the new Worker Protection Act 2023 mean for employers?

In this podcast, Lucy Densham Brown and Shauna Jones, members of the employment team, will review the new Worker Protection Act 2023 and provide some guidance on how employers should review their policies in preparation for October.

  • 03 June 2024
  • Commercial Real Estate

Sustainability and commercial property: green leases  

Climate change is considered by many the biggest threat we are facing today. With the UK said to have one of the oldest housing/building stocks, the focus on a building’s environmental performance and sustainability has never been more critical.

  • 03 June 2024
  • Employment

Using AI technologies in recruitment: is it fair and transparent?

In a rapidly evolving digital landscape, where artificial intelligence (AI) plays an increasingly pivotal role in HR and recruitment processes, ensuring responsible and ethical implementation is paramount.

  • 03 June 2024
  • Employment

Navigating the Labour Party’s New Deal for Working People: Legal implications and opportunities

Join Monica Atwal and Amanda Glover, for this in-person seminar on ‘Navigating the Labour Party’s New Deal for Working People: Legal Implications and Opportunities’ at our Reading office on Thursday, 20th June.