Welcome to Stallard Kane Associates

New data protection regime will be backed by tough penalties

The EU recently finalised its new regime for data protection. With a two-year run-in period, the General Data Protection Regulation (GDPR) will apply from 25 May 2018. 

The GDPR aims to introduce a ‘one-stop shop’, with a common set of rules applying across the EU. Although the European Commission claims that this will save businesses €2.3bn per year, its assessment has been challenged, with the Brussels European Employee Relations Group, for example, predicting not a saving, but an annual cost of €3.3bn. Whatever the overall figure, within the employment arena, savings are unlikely, as member states will have power to impose more specific national rules.

The rules are backed up by tougher penalties for data protection breaches. The maximum penalty will be €20m or four per cent of worldwide turnover – whichever is higher. Although not every mistake will lead to a penalty, the potential exposure will lead to most organisations putting greater focus on compliance.   

The GDPR will affect any area in which personal data is processed, but it is in relation to employment that businesses are likely to process most data. So what are the implications for employers?

Information on data

Employers are currently required to provide information on the purposes for which data is processed. The GDPR extends this. Employers will need to specify the legal basis for processing. In an employment context, much processing relies on the employer’s “legitimate interests”. One example is processing personal data in connection with appraisals, where the employer has a legitimate business interest in ensuring that employees who perform well are recognised, and others are perhaps given support. These interests will need to be spelt out.  Employees will also be entitled to information on how long data will be kept and on legal rights such as the subject access right.


Consent is commonly used as a legal basis for processing, normally through the contract of employment. The new rules tighten this. Consent must be informed and freely given with a genuine choice. Employees can withdraw consent at any time.

Data subjects’ rights

The rules on data subject access will change. The fee (£10 in the UK) will be abolished. The time for compliance (currently 40 days in the UK) will be reduced to one month, though this may be extended if a request is complex. If a request is clearly excessive, the employer may either charge or refuse to carry it out, a change that should lead to constructive discussion.

Data subjects will have other rights: to erasure (the right to be forgotten), and rights to rectify, restrict and object to processing.


Employees make mistakes – they leave laptops on trains, send emails to the wrong person and are careless with passwords. Under the new rules, employers discovering a data breach must notify the regulator and keep records.

Other changes

Rather than simply complying with the law, as they are required to do now, employers will have to demonstrate compliance. To be able to do so, employers are likely to develop policies and, if challenged, produce evidence showing both that they had policies in place and had complied with them.

Data protection officers (DPOs) will have to be appointed if an organisation’s core activities involve systematic monitoring or large-scale processing of sensitive data and in the public sector. A DPO may be an employee or consultant – but must be independent.


If the UK votes to leave the EU on 23 June, the GDPR will not apply directly. However, if data is transferred to the UK from within the EU, the UK will have to meet EU standards of protection. UK businesses offering goods or services within the EU will also have to comply with the GDPR. So while there may be some room for flexibility as to the details, Brexit will not make much difference.

Next steps

Although the new rules will not apply until 2018, employers would be well advised to take the following steps now:

  • Identify data systems, personal data and what you do with it 
  • Understand the legal basis for processing the data, and work out your ‘legitimate interests’
  • Identify who takes overall responsibility and consider appointing a DPO
  • Review documentation, as a lot more will be needed, including more detailed privacy notices and records of processing activities
  • Establish a policy with a timeline for handling data breaches
  • Build in safeguards to protect data when developing new systems

Training staff who process personal data – the entire workforce in many organisations – will also be vital both to avoid problems in the first place and, if problems do arise, to mitigate potential penalties.


Added: 17-06-2016

Breaking News

Head Office:
First Floor Offices, 11-23 Market St.
Gainsborough, Lincolnshire
DN21 2BL

Tel: 01427 678660

HR and Accounts:
26/26a Hickman Street
Gainsborough, Lincolnshire
DN21 2DZ

Tel: 01427 678660

Hull Office:
West 1, West Dock Street
Hull HU3 4HH

Tel: 01482 534 348

Manchester Office:
Hyde Park House, Cartwright Street
Newton, Hyde, Cheshire SK14 4EH

Tel: 0161 367 1214

Birmingham Office:
2450 Regents Court The Crescent
Birmingham Business Park Solihull B37 7YE

Tel: 0121 69 59 290

London Office:
4th Floor, 86-90 Paul Street
London EC2A 4NE

Tel: 0207 111 0958