It can’t have escaped your notice that the EU wide General Data Protection Regulation (GDPR) becomes law in the UK on 25 May 2018.  This has an impact on all businesses in the UK that process personal data. Personal data is any information that enables an individual to be identified.

Any business with employees processes personal data and therefore needs to be aware of the changes in the law and how this impacts upon how they use, store and retain data.

Businesses also need to consider their wider activities in terms of when and how they handle the personal data of clients, customers and potential customers. However, for employers the key issues to focus on now in terms HR and GDPR are:

Privacy Notices

Employers need to formally advise all employees (and applicants during the recruitment process) about their personal data process. The notice needs to state what data they hold, why they hold it and what they will use it for.

Third parties

Where an employer shares employees personal data with a third party supplier, they need to ensure this is made clear to the employee in the Privacy Notice.

Legal basis

An employer needs to have a legal basis for processing personal data, and needs to specifically state what that is in the Privacy Notice.

Record of Processing

All businesses need to consider whether to conduct a data processing audit and record in a formal Record of Processing document how they manage personal data in the business.

Subject Access Request

Individuals have always had the right to request details of the personal data held about them. In future such a request should now be processed for free and must be dealt with within 30 days.

Right to Rectification

Employees can ask for errors in the personal data their employer holds about them to be corrected.

Right to be forgotten

Subject to certain limitations, individuals can ask for a personal data record to be removed. The employer needs to be able to evidence that the data has been removed.

Information Commissioners Office

It will now be mandatory for the employer to report any data breach to the Information Commissioners Office (ICO).


A new fee structure and registration process has been introduced by the ICO.  However businesses that that only use personal data for staff administration are exempt from this.

No exceptions

Even if your business does not need to register with the ICO you still need to comply with the other data protection obligations.

If you have any questions or need further advice on getting GDPR ready please contact Opsium.