GDPR employee consent

Are you at risk of an £18 million data protection fine? – Employee Consent and the GDPR

The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018....

Back to News and Events

Are you at risk of an £18 million data protection fine? – Employee Consent and the GDPR

29th November 2017

News : Employment Law

The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018. The GDPR will be applicable in the UK (regardless of Brexit) with derivative legislation replacing the Data Protection Act 1998.

The GDPR extends the scope of current data protection legislation. It also introduces changes to the way in which employers obtain consent to process employee data.

Businesses may process* a significant volume of employee personal data** when carrying out business functions. For example, employee personal data will be ‘processed’ for the purposes of payroll administration, performance reviews, and training and development to name but a few.

What is Processing?

Processing means carrying out any of the following: collecting, recording, organising, storing, using, disclosing, disseminating.

What is Personal Data?

Article 4(1) of the GDPR defines personal data as information relating to an identified or identifiable person. The definition of personal data includes (but is not limited to) name, address, email address, telephone numbers, bank account details i.e. it covers much of the data that employers hold about their employees. There is further category of protected data: sensitive personal data. Sensitive personal data is subject to additional rules in connection with data processing. It includes (but is not limited to) information about racial or ethnic origin, political opinions and religious beliefs.

When is processing of Personal Data Lawful?

Under the GDPR, organisations must have a legal justification for the processing of personal data (including data relating to their employees). Such justification may be based upon employee consent.

What is needed for Employee Consent?

In order to rely upon employee consent as a justification for processing of personal data, employers must demonstrate that the consent was:

  • specific and informed;
  • freely given; and
  • unambiguous

Under the new legislation, the Information Commissioner’s Office will have increased powers to enforce data protection breaches. This includes the ability to issue significant financial penalties. A data protection breach could be a costly mistake for your business and therefore it is essential to take timely advice on compliance.

Poole Alcock is running a series of seminars and bespoke training on compliance with the GDPR and related legislation: if you would like further information about either of these please contact Eve Lakin on 01270 619689 or at


Issue 4 of Poole Alcock Insight is here! Grab a coffee and enjoy Augusts edition of our free Emagazine.

Posted 18th August 2020


Weve had a 5* review from Ian: Kate Heath and team - once again, amazing

Posted 29th July 2020

arrow-down-white arrow-left-white arrow-right-white arrow-right call cloudicon_laptop_add icon_purchase_new icon_purchase_standard icon_quill icon_remortgage icon_sale_purchase icon_sale icon_tick phone-call search settlement-icon skull social_facebook social_instagram social_linkedin social_pinterest logo-twitter-glyph-32 social_youtube speedo stars tail-right (1)Created with Sketch. tail_right tick_circle_green tick_circle wave-smaller Mask