As you will no doubt be aware, the General Data Protection Regulation (GDPR) will take effect across the EU on 25 May 2018.

The GDPR constitutes the biggest change to the data protection regime in the EU since the 1995 Data Protection Directive. If you have not already done so, you will need to start taking steps towards compliance now to ensure that your organisation is ready for 25 May 2018. Visit our GDPR Insights Hub for further information about the GDPR generally.

Like the Data Protection Act 1998, under the GDPR a company must have a lawful basis for processing data. Historically, the lawful basis typically relied on in the operation of employee share plans has been consent. However, under the GDPR, valid consent will be more difficult to obtain and may be withdrawn by an individual at any time (which could cause difficulties in operating plans).

As there are other lawful grounds that a company may rely on for processing personal data (for example, the performance of a contract or compliance with a legal obligation), it will generally be preferable for the company to move away from reliance on consent in the operation of its share plans.

Many companies will be in the process of finalising a general data privacy policy to be issued to their employees. It is important that companies operating employee share plans ensure that such a policy covers these arrangements (including the sharing of data with administrators and trustees of employee benefit trusts, if relevant). Otherwise, a separate policy may have to be prepared specifically covering the incentive plans.