John Macaulay

+44 (0)1733 887708

View full profile →

Siobhan Thomson

+44 (0)1223 785277

View full profile →

GDPR and HR: What you need to know

Employment / 15 May 2018


The much anticipated General Data Protection Regulation (‘GDPR’) will come into force on 25 May 2018.

Employers and HR professionals will be particularly interested to know how the new regime affects the collection and processing of HR related data, especially considering the significant penalties that the GDPR will introduce.

Key areas of significant change are:

Employee Consent
It will be harder for employers to justify processing employee personal data based on consent. The GDPR introduces prescriptive requirements for obtaining consent and employees must be able to withdraw consent at any time. Employers should therefore consider other legal grounds to process data for example, legitimate business interests, performance of the employment contract or compliance with a legal obligation.

Privacy Notices
The information which must be provided to staff and job applicants at the point which data is collected will be more detailed. This includes, non-exhaustively, how long data will be retained, whether data will be transferred overseas and the mechanism by which these individuals can make use of their data subject rights.

Employee Rights
Enhanced rights for staff include, in certain circumstances, a new right to have data deleted and a right to have data rectified. Changes will also be made to data subject access requests, including a revised response time and the provision of more detailed information in response to a request. Employers should consider how these rights will be dealt with in practice.

Breach Notification 
A new mandatory breach reporting requirement will be introduced whereby breaches likely to pose any risk to the member of staff must be notified to the Information Commissioner within 72 hours. The member of staff will also have to be notified where the breach poses a high risk to their rights and freedoms. Employers should therefore develop a breach plan, enabling it to react promptly in the event of a breach.


If your organisation hasn’t yet started working on GDPR compliance, or if you are still in the process of finalising how your organisation should respond to this important piece of new legislation, there is still time. Contact us to seek expert legal advice if there are areas that you require assistance with.

Back to Our Thinking →

Get in touch with us

Interested in finding out more? Use this form to let us know how to contact you and what you’d like to know, and we’ll get back to you.

Alternatively, contact anyone listed on our website direct, they will be happy to hear from you.

  • This field is for validation purposes and should be left unchanged.