London Eye

GDPR under the spotlight – What you need to know

Published: 4th October 2017

Author: Fudia Smartt

The EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) replaces the previous EU Data Protection Directive and provides enhanced data protection rights under EU law.

As an EU Regulation, the GDPR (which was enacted on 25 May 2016) has direct effect in each EU member state, without the need for further implementing legislation. Therefore, putting the Brexit-wrangling to one side, the UK is obliged to implement the GDPR.

  1. When does it take effect? 25 May 2018.
  2. Key changes: These include the following:
  • Consent: In order for processing to be lawful under the GDPR, there is an obligation to identify (and make a record of) the lawful basis for the processing of data subject’s personal data. There are six bases listed in Article 6(1) of the GDPR on “Lawfulness of Processing”, with consent being one of them. Under the GDPR consent must be:
    • freely given and unambiguous e.g. in plain language;
    • unbundled i.e. requests for consent should be kept separate from other terms and conditions; and
    • easy to withdraw.
  • Erasure of personal data: Data subjects will have the “right to be forgotten”. This will entitle data subjects to request that any personal data that a data controller (e.g. an employer) holds about them be erased.
  • Correction of personal data: The GDPR requires data controllers to ensure that personal data is accurate, kept up to date and erased/corrected without delay when inaccurate. To meet this aim, the GDPR specifically grants data subjects the right to correct and/or complete inaccurate personal data held by any data controller.
  • Data Subject Access Requests: Employers will be required to reply to DSARs within one month (as opposed to 40 days as it is now) from the date of receipt. If a time extension is required, a data controller will have to inform the data subject within one month of receiving the request of this and supply an explanation for the extension sought. The GDPR permits the data controller to extend the response time by up to two additional months, where necessary. Data controllers will be required to respond to DSARs free of charge unless the requests are manifestly unfounded or excessive – they will no longer be permitted to request a £10 fee.
  • Notification duties: The GDPR will introduce a duty on all organisations to report certain types of data breach (e.g. breaches of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data) to the relevant supervisory authority within 72 hours of the breach. In some cases, the individuals affected will have to be notified as well, for example where there is a significant risk to the rights and freedoms of those individuals..
  • Penalties for breaches: The GDPR will significantly increase the maximum fines on data controllers and data processors for breaches of the rules. Depending upon the nature of the breach, the limit on fines could be between 2 – 4 % of a company’s annual worldwide turnover or between €10 -20 million.
  1. What do you need to do now?: With just over 7 months before the GDPR comes into force, we set out below 8 tips for organisations:


  1. Update your employment contracts. The generic consent clauses included in employment contracts is unlikely to satisfy the consent requirements under the GDPR because of the imbalance of power between employers and employees meaning consent is not given freely and is therefore invalid. There is also a requirement for the consent not to be bundled up in other contractual terms. Further, employment contracts will need to refer specifically to an employer’s privacy policy.
  2. Have clear reasons for processing personal data which do not rely on consent. This is particularly important now that data subjects will be able to withdraw consent.
  3. Implement appropriate systems and controls for dealing with data breaches. These could include having a Data Protection Officer responsible for taking action, preparing template letters etc.
  4. Implement appropriate internal procedures and protocols on how to respond to DSARs. This is particularly necessary given the reduced timeframe for responding to standard DSARs.
  5. Train all staff on your systems, controls, policies and procedures in relation to personal data.
  6. Audit your third party data processors (e.g. payroll providers) to ensure that they are in a position to comply with the GDPR.
  7. Update privacy notices to ensure that they are GDPR compliant i.e. that they clearly set out data subjects’ rights, the lawful basis for processing the data, and how personal data is to be handled.
  8. Consider implementing appropriate mechanisms for data subjects to be able to update or correct their personal data.

If you would like to discuss any of these issues further please do not hesitate to contact any of the members of the Hine Legal Team


Hine Legal

Cromwell House, 3rd Floor
14 Fulwood Place
London WC1V 6HZ
T: 0203 008 5718