The General Data Protection Regulation

The GDPR promises to be the biggest change to EU data protection regulation in over 20 years. Its purpose is to harmonise and modernise data protection laws taking into account the technology, communication and data concerns of today, and where possible of tomorrow.

The new legislation has clear implications for HR teams, who handle personal and sensitive personal data on a daily basis, particularly in light of the significant sanctions for breaches. The obligations will apply to data relating to all staff including, workers, candidates, employees or gig economy workers as well as other staff and contractors – the scope is much wider than just employees.

Who is affected?

The GDPR significantly expands the scope of current European data protection legislation, applying not only to EU companies but also to non-EU data controllers and data processers (to the extent they offer goods or services to data subjects in the EU or monitor data subjects’ behaviour within the EU).

For HR purposes, if a business has employees or other staff in the UK, it will almost certainly be caught by the scope of the GDPR. In this context, “staff” could include casual, zero hours, pool and other flexi staff and workers, and agency workers as well as potentially consultants and other independent contractors, depending on what information is controlled or processed by the business.

What must businesses do?

Businesses must not only comply with the new regulation, but must also show that they comply with the new regulation. The GDPR envisages a culture shift, with a focus more on day-to-day compliance and less on high-risk breaches.


The GDPR will apply from 25 May 2018. There is no transition period or ‘soft landing’; businesses will be expected to comply fully from day one.

The business context

In light of the publicity surrounding alleged data breaches at Facebook, Google, HMRC, TalkTalk and many others, it is perhaps unsurprising that staff have become more aware of their data rights in their capacity as employees, workers or contractors as well as individuals. The employment courts too have started to become more attuned to data issues, and particularly the impact of a failure to comply with data obligations on the position of employees (in light of the McWilliams v Citibank case, amongst others), which means employers must be alert to this and not dismiss such issues out of hand.

The law around data is changing, but organisations have been slow to catch on. Most focus has been placed on client or customer data – this clearly goes to brand value and reputation, but increasingly the spotlight is turning to HR data. In light of the significant sanctions under the GDPR, and given that HR teams handle personal and sensitive personal data in relation to staff on a daily basis, this is an area which should be a focus for review and remedial action prior to the GDPR coming into force and to ensure readiness to comply with it going forwards.

Wider issues to consider

This is not simply an issue of compliance for compliance’ sake.

  • The paper treatment of data has clear brand value and reputational implications in the current climate.
  • Consumers and clients are not simply worried about their own data – there is increasing interest in, and brand value attached to, the treatment of employees and other staff and by extension employee and staff data - and any deficiency in which could ultimately curtail future business opportunities.
  • The sanctions under the GDPR are significant, and have potentially serious implications for all organisations, regardless of size.

Why care - penalties for breaches

Under the GDPR regime there will be a significant increase in sanctions for breaches which will affect HR data. Under the GDPR, possible fines will be significantly increased across the EU, and will be levied on a two-tier basis as follows:

  • up to 2% of annual worldwide turnover of the preceding financial year or 10 million Euros (whichever is greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default; and
  • up to 4% of annual worldwide turnover of the preceding financial year or 20 million Euros (whichever is greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects’ rights (including subject access requests) and international data transfers.

There are also clear reputational and brand risks associated with a perceived and/or actual failure to comply with data protection requirements. However, taking steps now to try to ensure compliance will help to minimise the risk of these penalties arising and we would be happy to help you with that process.