Most business owners are by now aware of the General Data Protection Regulation and that it will impact how they operate in terms of how they keep and process data.

But we are finding many business owners are still unclear on what the fundamental principles are in the GDPR, and how it differs from the Data Protection Act.

Here are some of the key principles shaping this new regulation in respect of employment data:

Data protection by design and default

GDPR introduces the concept of data protection by design and default. This is about ensuring data protection concerns are embedded in your processes, policies, operational and strategic decisions. It means you have to ensure you take data protection risks into account from the start, when writing a policy or designing a product or service.

You must be able to demonstrate that you have structures and processes in your business which ensure that processing is limited to what is necessary for the purpose in question, stored for the shortest amount of time necessary and that access is restricted to only what is necessary.

Legal basis for processing data

Many employers currently process employee personal data based on consent. The GDPR introduces stricter requirements for valid consent: it must be “freely given, informed, specific and explicit”.

This means that consents to process employee data contained within employment contracts will not be valid, and in fact valid consent will generally be difficult to obtain in the employment context at all due to the imbalance of power between employer and employee. Consent will also be able to be more easily withdrawn which clearly could be problematic.

Therefore employers will need to rely on other permissible grounds for processing data, including compliance with a legal obligation, performance of a contract and legitimate interest of the employer or a third party

Information you will need to provide to employees and job applicants

Under the GDPR the information you need to give people about the data you hold is more detailed than under the Data Protection Act 1998. They’ll need more information about what the data is, why you’re holding it, who can access it and about their rights in terms of withdrawing consent.

Data subject access requests

Employees already have the right under the Data Protection Act 1998 to obtain copies of data being processed by their employer or ex-employer, as well as information about the data.

Changes under the GDPR include a requirement to provide the information more quickly –  within no later than a month (or three months if the request is particularly complex), and employers will no longer be able to impose a charge for processing the request.

Accountability principle

The GDPR introduces a new requirement for employers to demonstrate compliance with the data protection principles through record-keeping.

You should create a data register to meet these requirements, containing information about all personal data your business processes.

Automated decision-making

The GDPR also places restrictions on automated decision-making in organisations. Employees will have a right not to be subject to a decision made solely by automated processing where that decision significantly affects them. Exceptions are made where explicit consent has been given or where the automated decision-making is necessary to perform the employment contract.

If you currently use automated decision-making you should review it and look at incorporating human intervention into the processes.

Sensitive personal data

The definition of sensitive personal data under the GDPR has expanded to explicitly include genetic and biometric data in addition to the current definition of data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation.


If you would like more details about any of these principles and how they might affect your business, do get in touch.