Skip to main content

Insight article

January 24, 2017

What is General Data Protection Regulation?

The aim of the GDPR is to harmonise the current data protection laws across the EU member states.

The General Data Protection Regulation will apply in the UK from 25 May 2018. This is a significant change in data protection law, and businesses will need to invest time in preparing for the changes.

Given Brexit, do you still need to prepare for compliance with the GDPR?

Yes. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the General Data Protection Regulation.

To avoid being classified as inadequate in terms of the level of protection given to personal data, the UK must offer data protection standards that comply with EU requirements. A company outside the EU with operations in the EU must also comply.

The short answer is no.

Under the General Data Protection Regulation, consent must be given:

  • freely, i.e. not as part of the employment contract;
  • actively, i.e. not simply ‘by default’; and
  • it must be as easy to withdraw as to give.

As an employee cannot usually reject a clause in their employment contract, it is not (for GDPR purposes) considered to be ‘freely given’. Therefore, silence, pre-ticked boxes or inactivity cannot constitute consent as these do not allow the employee to say no to an aspect of the proposed processing.

However, the General Data Protection Regulation does allow employers to rely on alternative valid bases for processing personal data (other than just employee consent). For example, where an employer needs to process personal data to operate the payroll or the sick pay system. Employers can rely on the justification that such processing must happen for the employer to perform the employment contract.

How will the GDPR change the rules regarding subject access requests?

A subject access request is a written request made by or on an individual’s behalf for the information he or she is entitled to ask for under section 7 of the Data Protection Act 1998.

In standard cases, the current 40-day time limit for responding to subject access requests will be reduced to one month, and the £10 fee will be revoked.

In complex cases, the one-month timeframe can be extended by a further two months, and provision will be made for a fee to be charged if the request is clearly unfounded or excessive.

The General Data Protection Regulation will extend the right of access to personal data. Employees will be entitled to more information about how their data is handled, who has access to it, how long it is held, etc. Therefore, employers should ensure that anyone appointed to handle subject access requests has received up-to-date training.

What steps should employers take to prepare for the GDPR coming into force?

The General Data Protection Regulation affects the whole of the business, but from an HR angle, we would suggest the following steps are taken as part of the overall business preparations:

Audit HR data and data processes

Now is the time to assess what data is held by HR and how it is processed (who it is shared with and why?).

What data protection policies and procedures do you currently have, and are these working?

Are there any risk areas that need attention before the General Data Protection Regulation comes into force?

Audit your third-party processors

The General Data Protection Regulation increases employers’ obligations to ensure that their third-party data processors comply with data protection laws. The obvious ones here include external payroll providers and occupational health assessors.

You need to make sure that your contractual terms require third parties to comply with data protection laws in processing personal data about your workforce.

You should consider what steps you take to vet and check external service providers for compliance both prior to and during their appointment.

Ensure staff are trained appropriately

General data protection training is as important as ever. Those with specific data processing responsibilities should be given additional tailored training.

Move away from relying solely on employee consent to justify business-critical data processing.

Do you need to appoint a data protection officer?

The GDPR requires companies whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale to appoint a data protection officer. This person must have expert knowledge of data protection law and practices, and their job will be to monitor internal compliance with the GDPR. Businesses that do not fall into this category may still wish to appoint someone to monitor data processing and keep a check on compliance.

If you’re concerned about the General Data Protection Regulation, speak to Karen Cole today.

Note: This article is not legal advice; it provides information of general interest about current legal issues.

Stay in touch

Subscribe to our newsletter

Stay in touch

By completing your details and submitting this form you confirm you are happy for us to send you marketing communications and that you agree to our Website Privacy Policy and Legal Notice and to us using Mailchimp to process your data.


Sending

News/Insight

  • Pension and inheritance tax changes from April 2027: why now is the time to review your will and estate plan
    From 6 April 2027, most unused pension funds and pension death benefits are expected to be included in a person’s estate for inheritance tax purposes. This article explains what the changes could mean for families, pension nominations, wills, chari


    Read more
  • What happens when company owners disagree? The key to keeping private companies running smoothly
    Director and shareholder disagreements can quickly disrupt a business if they are not addressed early. This article explains what disputes can mean for a private company, how they can be avoided, and how legal advice can help protect stability and su


    Read more
  • SMEs urged to review risks as liability rules expand
    New criminal liability rules taking effect on 29 June 2026 will make it easier to prosecute businesses of any size where senior managers commit offences while acting on the organisation’s behalf.


    Read more
  • AI-written grievances add new pressure for employers
    AI is making it easier for employees to produce detailed, formal-looking grievances that refer to legal concepts and workplace rights. For employers, the key is to look beyond the language, identify the core concern and follow a fair, consistent grie


    Read more
  • What to check in a new build contract
    Buying a new build home can be exciting, but the legal process carries important risks. From long-stop dates and mortgage deadlines to specifications, deposits, service charges and warranties, early legal advice can help protect your position before


    Read more

What they say...

  • Client, July 2026
    Pragmatic, but commercially astute support “Genuinely, we valued your pragmatic, but commercially astute support. It has helped us get this tricky deal over the line in a manner that we both feel supports our needs in a balanced way and gives L

  • Chey, July 2026
    Professional and speedy “I’m extremely happy with the service provided by RIAA Barker Gillette. They were very professional, dealt with my matter at speed and were very accommodating with my disability. I wouldn’t hesitate to use th

  • Client, June 2026
    Thank you “I had a call with Pippa that was not only factual and to the point but also reassuring and very helpful. Would highly recommend.”

  • Client, June 2026
    Trusts services “Very helpful service which solved our problem.”

  • Client, June 2026
    Probate Services “We used Patrice Lawrence to deal with our parents’ probate, and she handled the case promptly, professionally and with the respect due for a matter of this nature.”

Read more
Send this to a friend