DWF logo

Search

DWF logo

            Data protection and GDPR: how compliant is your business?

            The General Data Protection Regulation (GDPR) is approaching its second anniversary and it seems that every day there are reports of data breach cases.  The penalties for breaching data protection obligations are eye watering – fines up to €20,000,000 or 4% of worldwide annual group turnover, whichever is higher.   

            Date: 28/01/2020

            The Information Commissioner's website provides details of fines and notice of intent to fine.  Only three such fines/notices of intent have been reported in the UK under the GDPR (introduced in the UK through the Data Protection Act 2018), amounting to over £280,000,000 (each fine was significant).  There have also been a number of fines across EEA member states, with the figure likely to increase given the length of time since the GDPR was introduced.  

            The employee/employer relationship is renowned for being data rich -  employers process employee data every day and at every stage of the employment cycle from recruitment through to references.  To help ensure your business is data protection compliant, we have updated our Data Protection and GDPR - A guide for employers 

            Here are some top tips for employers on how to stay compliant:

            Top tips for employer compliance

            Where to start? Data mapping is key.  What data do you hold? How long do you retain it? Where do you send the data? What protection is in place with third parties? Are your processes GDPR compliant?    Individuals have enhanced rights under the GDPR including a right to information and a right to transparency.  Having the right systems and processes in place will put your business one step ahead.  

            Get your paperwork in order.  Review existing employment contracts, data protection policies and privacy notices to ensure they are in line with the GDPR.  Many employment contracts still include consent clauses requiring the employee to consent to the employer processing their personal data.  The GDPR is clear - employers cannot routinely rely on consent as a ground for processing data.    Employers will need to consider alternative grounds for processing and will need to ensure contracts and policies are clear. A large accountancy firm was recently fined €150,000 by the Greek Data Protection Authority (Greece's equivalent of the UK's Information Commissioner's Office) for GDPR breaches for wrongly relying on consent as a basis for processing employee data.  

            Data Protection Impact Assessments (DPIAs).  DPIAs are required under the GDPR when high-risk processing is taking place, for example systematic and extensive automated decision-making, large scale processing of special categories of data or large scale systematic monitoring of public areas (CCTV).  Consider whether you need to carry out a DPIA.  

            Are your employees on board?  Training is an essential element of GDPR – not just as a one off but on a regular basis.  Identify who in the business needs training and on what frequency.  Keep records of training provision and attendance.  Businesses that are able to instil a GDPR compliant culture will find themselves in an advantageous position; communication and training will support this objective.  

            Remember the 25 May 2018 was just the initial implementation of the GDPR.  Employers need to put ongoing processes, procedures and review in place. 

            We hope you find our guide useful. If you have any queries please get in touch.   

            Related people

            Helga Breen

            • Partner // Head of Employment (London)

            JP Buckley

            • Partner // Head of Data Protection

            Charlotte Lloyd-Jones

            • Professional Support Lawyer

            We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

            Learn More

            Your Privacy

            When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
            Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

            Functional cookies

            (Required)

            These cookies let you use the website and are required for the website to function as expected.

            These cookies are required

            Tracking cookies

            Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

            They may also be used to personalise your experience on our website by remembering your preferences and settings.

            Marketing cookies

            These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.