As you will no doubt be aware, the General Data Protection Regulation (GDPR) will take effect across the EU on 25 May 2018.
The GDPR constitutes the biggest change to the data protection regime in the EU since the 1995 Data Protection Directive. If you have not already done so, you will need to start taking steps towards compliance now to ensure that your organisation is ready for 25 May 2018. Visit our GDPR Insights Hub for further information about the GDPR generally.
Like the Data Protection Act 1998, under the GDPR a company must have a lawful basis for processing data. Historically, the lawful basis typically relied on in the operation of employee share plans has been consent. However, under the GDPR, valid consent will be more difficult to obtain and may be withdrawn by an individual at any time (which could cause difficulties in operating plans).
As there are other lawful grounds that a company may rely on for processing personal data (for example, the performance of a contract or compliance with a legal obligation), it will generally be preferable for the company to move away from reliance on consent in the operation of its share plans.