• news-banner

    Expert Insights

Top 7 Data Protection Tips for Employers

An overview of the top 7 considerations for employer’s to comply with the retained General Data Protection Regulation ((EU) 2016/679) (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

1. Are your employment contracts compliant?

  • Pre-GDPR, many employment contracts referred to employees consenting to their data being processed. This is no longer appropriate and contracts that refer to consent should be updated.
  • Employment contracts should contain sufficiently robust data protection and confidentiality obligations, ideally tied to an enforceable data protection handbook or policy (see question 2).
  • Employment contracts should contain accurate and up to date references to applicable data protection law post-Brexit.

2. Do you have employee and job applicant privacy notices?

  • Organisations are required to have privacy notices that set out how the organisation will obtain, handle, process or store employee personal data.
  • Employees and job applicants should be made aware of their rights under data protection law via these privacy notices.
  • In addition, you will need to prepare and maintain an “appropriate policy document” in relation to your processing of special categories of personal data and criminal convictions or offence information.

3. Do you have a data protection handbook (or instructions manual) for employees to follow?

  • Your employees’ obligations (both general and role specific) and your expectations of them in relation to data protection should be clearly set out, ideally in a data protection handbook.
  • A data protection handbook will assist you to comply with the accountability obligations under the UK GDPR.

4. Who has overall responsibility for data protection compliance (and do you need a data protection officer (DPO))?

  • As an employer, you will need a DPO if you are an organisation that either: (a) is a public authority; (b) carries out large scale systematic monitoring of individuals; or (c) carries out large scale processing of special categories of data or data relating to criminal convictions.
  • Even if your organisation does not fall into any of the three categories above, you can still appoint a DPO. Alternatively, you can appoint an individual who will be responsible for compliance with regulatory requirements.
  • A DPO will be responsible for monitoring and advising on compliance with the UK GDPR.  The DPO will also be the first port of call for supervisory authorities and will have to comply with obligations as defined in UK GDPR Article 37-39.

5. Do you train and audit your staff?

  • Employees that have regular or permanent access to personal data or are involved in the development of tools or software used to process personal data should be given appropriate training.

6. Are you undertaking any high risk processing that may require a Data Protection Impact Assessment (DPIA)?

  • Employers should undertake a DPIA to identify and minimise non-compliance risks.
  • You must undertake a DPIA “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the rights and freedoms of individuals”.
  • A DPIA should include a description of the envisaged processing operations and the purposes of processing, an assessment of the need for and proportionality of processing the information and the risks to data subjects and measures to mitigate those risks to comply with the UK GDPR.

7. What happens if you do not comply with the UK GDPR and the DPA 2018?

  • Under the UK GDPR, you can receive a fine of up to 4% of global annual turnover, or £17,500,000, whichever is higher, for breaches of: (a) processing, including consent conditions; (b) data subjects’ rights, and; (c) international transfers.
  • For other breaches, you can receive a fine of up to 2% of global turnover, or £8,700,000, whichever is higher, for infringements such as the failure to main written records and the failure to report breaches where required.

Our thinking

  • IBA Annual Conference 2025

    Simon Ridpath

    Events

  • Alumni Drinks Reception

    Events

  • London International Disputes Week: Trusts hurt: the fraud lawyer, the trust, and the avenues of attack (and defence)

    Tamasin Perkins

    Events

  • London International Disputes Week: Navigating International M&A Disputes: Insights and Strategies for 2025

    Stephen Burns

    Events

  • Government publishes consultation on Regulations about how rent is calculated under the Landlord and Tenant Act 1954 for agreements with Code operators

    Georgina Muskett

    Quick Reads

  • ESG Duties for Directors: Legal Obligations and Risks Under English Company Law

    Katie Bewick

    Insights

  • Conclusive truth or abusive sleuth - can covert recordings be used in family law proceedings?

    Charlotte Posnansky

    Insights

  • Law Commission publish their recommendations for reform on Wills

    Charis Thornton

    Quick Reads

  • What does the UK Immigration White Paper mean for businesses, families and entrepreneurs?

    Paul McCarthy

    Insights

  • BBC News quotes Emma Preece on a Supreme Court decision around whether people can camp in certain areas of Dartmoor without permission from landowners

    Emma Preece

    In the Press

  • From Tradition to Transaction - The Rise of Private Equity in Family Businesses in the Middle East

    Ahmad Anani

    Insights

  • The UK’s immigration white paper – what does it mean for British Nationals (Overseas)?

    Owen Chan

    Quick Reads

  • Directors’ Disqualification Under the Company Directors Disqualification Act 1986: What UK Directors Need to Know

    Claudine Morgan

    Insights

  • The Financial Times quotes Catrin Harrison on IHT Budget changes and the impact on wealthy UK expats

    Catrin Harrison

    In the Press

  • Property Patter: Applications to discharge or modify restrictions

    Emma Humphreys

    Podcasts

  • Should access be given between exchange and completion?

    Twiggy Ho

    Insights

  • What next for the hydrogen sector?

    Rachael Davidson

    Quick Reads

  • UK Cybersecurity and Resilience Policy Statement April 2025 - Impacts for Managed Services Providers and Data Centres

    Mark Bailey

    Insights

  • Covenant modified by Tribunal to allow office redevelopment in accordance with planning permission

    Georgina Muskett

    Insights

  • Thomas Snider and Adrian Mayer write for African Law & Business on rising levels of private investment between the UAE and Africa

    Adrian Mayer

    In the Press

Back to top