Call us today 0800 470 0331

Are you at risk of an £18 million data protection fine? – Employee Consent and the GDPR

Published on 29 November 2017 | Modified on 29 November 2017

Written by Stacey Bennett
GDPR employee consent

The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018. The GDPR will be applicable in the UK (regardless of Brexit) with derivative legislation replacing the Data Protection Act 1998.

The GDPR extends the scope of current data protection legislation. It also introduces changes to the way in which employers obtain consent to process employee data.

Businesses may process* a significant volume of employee personal data** when carrying out business functions. For example, employee personal data will be ‘processed’ for the purposes of payroll administration, performance reviews, and training and development to name but a few.

What is Processing?

Processing means carrying out any of the following: collecting, recording, organising, storing, using, disclosing, disseminating.

What is Personal Data?

Article 4(1) of the GDPR defines personal data as information relating to an identified or identifiable person. The definition of personal data includes (but is not limited to) name, address, email address, telephone numbers, bank account details i.e. it covers much of the data that employers hold about their employees. There is further category of protected data: sensitive personal data. Sensitive personal data is subject to additional rules in connection with data processing. It includes (but is not limited to) information about racial or ethnic origin, political opinions and religious beliefs.

When is processing of Personal Data Lawful?

Under the GDPR, organisations must have a legal justification for the processing of personal data (including data relating to their employees). Such justification may be based upon employee consent.

What is needed for Employee Consent?

In order to rely upon employee consent as a justification for processing of personal data, employers must demonstrate that the consent was:

  • specific and informed;
  • freely given; and
  • unambiguous

Under the new legislation, the Information Commissioner’s Office will have increased powers to enforce data protection breaches. This includes the ability to issue significant financial penalties. A data protection breach could be a costly mistake for your business and therefore it is essential to take timely advice on compliance.

Poole Alcock is running a series of seminars and bespoke training on compliance with the GDPR and related legislation: if you would like further information about either of these please contact Eve Lakin on 01270 619689 or at

Related Insights

Sign up to our newsletter

apply area-criminal area-divorce area-employment area-home area-motoring area-personal arrow_downarrow-left-long arrow_leftarrow-right-long-menu arrow-right-long arrow-right asbestos-claimsbenefits-health benefits-incentive £ benefits-nursery benefits-pension blueprintbottom-wave-180 bottom-wave buildingsbusiness-services calendarcertificationcharitychat checklist clockcommercial-propertyconvey_icon_purchase_standardconvey_icon_remortgageconvey_icon_sale_purchase convey_icon_sale conveyancingcriminal-defencecrossdefencedisputesdivorce-family divorce documentsdownloaddrink-drivingeducationemail-altemail-outlineemail employmentevent-calendarfixed-fee-divorcefor-salegravelheartbeathero-wave home-searchhospitalhousehricon_laptop_add icon_purchase_standard icon_quill icon_tick icon-feather-mail icon-user input-error input-upload input-valid job-descriptionlegal-aidlitigationmap-marker map-pinmoneypersonal-injurypersonal-services phone-primary phone play pluspropertyremortgagesearch-primary searchseparationsocial-facebook social_googleplussocial_instagramsocial_linkedin_altsocial-linkedin social_pinterestlogo-twitter-glyph-32social_youtubesoldtenanttick_circle_green tick-white ticktoggle-cross traffic-accidenttreetriangle will-probatewillwrite-a-will