General Data Protection Regulations, three years on…

It has now been three years since the General Data Protection Regulations were introduced. Find out more by reading our online blog.

Share this story

Written by: Alcumus
3rd August

It has now been 3 years since the General Data Protection Regulations were introduced but many people are still unsure as to what this means for employers.

As you should be aware the General Data Protection Regulations replaced the Data Protection Act 1998 on the 25th May 2018 and it became a legal requirement that all employers within the EU must follow the new GDPR rules regardless of their size or business practice.

GDPR states that personal information should be:

  • processed lawfully, fairly and transparently;
  • collected for specified, explicit and legitimate purposes;
  • adequate, relevant and limited to what is necessary;
  • accurate and kept up to date where necessary;
  • kept for no longer than is necessary where data subjects are identifiable;
  • processed securely and protected against accidental loss, destruction or damage.

Whilst there are no exceptions to following these rules, there are penalties where these new regulations are not followed which could include a fine of up to €20 million or 4% of your business’ annual turnover as well as possible criminal sanctions and compensation claims.

Another factor that often gets overlooked, is that your company reputation could be damaged in the process of each of these penalties.

So, what data does GDPR cover?

GDPR covers both Personal Data and Sensitive Data.

Personal data has been expanded to specifically include device IDs, IP addresses, cookies, and location data.

Sensitive data is also categorised as “special categories of personal data” such as genetic and biometric data that can be used to uniquely identify an individual. However, personal data that relates to criminal convictions are not included.

Criminal convictions, activities and proceedings (criminal offence data) are given an extra protection.  The rules applying to this data are a bit different because of the risks to the people it relates to, if the data is misused. The need to protect people from criminal activity means that using this type of information can be justified in a wider variety of circumstances, despite the potential impact on the person who it's about.

GDPR also now applies to both automated and manual filing systems where data is accessible such as cloud based systems, servers and chronologically ordered sets of manual records held in systems such as filing cabinets.

Are you compliant?

As stated earlier, there are 6 principles that now must be abided by for GDPR and it is the responsibility of all staff that their activities comply with those principles. It is also known that staff should not disclose personal data outside the business’ procedures or use personal data for their own purposes.

Within your company, you should have established who would be a data controller and who would be a processor.

Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”

Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

As you process personal data, your business would automatically be considered a controller which means you will be responsible for processing personal data and being able to demonstrate that you are compliant. As the controller, you must have the consent of each individual to process, record and store their personal information and you will need to be able to show that both your employees and customers were:

  • informed of the purpose and use of their personal data; and
  • given a clear explanation of how it will be treated

You will not have met the standard required for GDPR where employees have agreed reluctantly to have their data stored, stayed silent on the request, not complained about how their data is stored, or agreed to their data being stored as part of their employment terms and conditions.

As an employer, you must ensure that any third parties you share data with also comply with the GDPR.

How does GDPR relate to recording, storing & accessing HR Data?

Retention periods

For common types of HR data, there are statutory retention periods that govern how long those types of data should be held for. Examples of these types of data are as shown in the table below.

However, there are many types of HR records that don’t have a definitive retention period, so it is up to you to decide what is a reasonable amount of time to retain those records.

The CIPD recommends the following time limits based on the potential for tribunal or civil claims.


How often do I need to remind staff that we hold their data?

As you rely on all your employees’ consent to store their data, it is important that they are aware that their data is stored and how long it will be stored for. Where possible, it would be best practice to have a policy that explains how long you keep the different types of data and why. Employees must also be given permission to withdraw their consent at any time.

Whilst there isn’t a law that states how often employees needed to be reminded that you hold their data, you can give regular reminders throughout the year, so that they are kept informed of your company’s compliance with GDPR.

One thing to remember, is that when you no longer need certain personal data, you must make sure you anonymise or securely destroy the data.

Is it my responsibility to keep employee data up to date?

Personal data that is accurate, relevant and kept safe can save you time and money. It also means you are complying with GDPR. As data protection is the responsibility of all your employees, it is important that they are aware of how beneficial it is to keep accurate data and what to do if something goes wrong.

As a business, you may find it useful to appoint a Data Protection Officer (DPO) as they can then look after your privacy notice and ensure that your customer and staff / employee records are up to date. Ensuring you have a DPO also means that they can respond to any data protection requests.

A small organisation isn’t likely to need a Data Protection Officer but you must appoint a DPO if:

  • you’re a public authority or body (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

How does Brexit affect GDPR?

Now that the UK has left the EU, the EU GDPR no longer directly applies but the GDPR regulations will still be part of the UK Law.

The GDPR’s requirements that replicate The UK Data Protection Act 2018, for areas that are outside the Regulation’s scope, will continue to apply.

For more information on data protection and Brexit, please see How the UK’s withdrawal from the EU affects data protection in the UK: the EU GDPR, UK DPA 2018 and UK GDPR

What can I do if my employee won’t agree to me recording and storing their data?

As an employer, you don’t always need your employees consent to use their personal data. You are allowed to use it without consent as long as you have a valid reason for doing so. There are 6 reasons that can be used and they are often referred to as ‘lawful basis’. The six lawful basis’s for using data are:

  • Consent
  • Contract
  • Legal Obligation
  • Vital interests
  • Public task
  • Legitimate interests
  • Examples for some of these lawful basis’s are as listed below:
  • Consent: asking if you want to receive the companies newsletter
  • Public Task: sharing your details with HMRC to calculate tax
  • Legal Obligation: disclosing salary details to HMRC because of your legal obligation to do so

However, if you do not have the employee’s consent to use their data you must still tell them why you are using their data and what your lawful basis for this is. Where you have identified one lawful basis for storing the employee’s data, you should not swap this to a different lawful basis without good reason. Often you will find that processing personal data for a variety of purposes relies on more than one lawful basis but no matter how many are relied on, they must all be included in your privacy notice.

Do I need consent from my employees to track their data via vehicle trackers?

The first thing to note when tracking an individual’s geolocation or behaviours, is that a Data Protection Impact Assessment (DPIA) is required to process any operation that involves geolocation data, or the use of innovative technologies related to intelligent transport systems. This is due to the data processing being likely to result in a high risk to the rights and freedoms of the individuals involved.

Where vehicle tracking is involved, you should get consent and document the consent of each of the employees that it would affect unless there is good reason not to. For example, you may be able to demonstrate that gaining consent from the employees would compromise commercial confidentiality, undermine security, or be disproportionate or impracticable.

In most cases, it should be possible to get consent. Where you decide not to get consent, you should record this decision in your DPIA with a clear explanation as to why you have not gained the consent required. You should also record any reasons for going against the views of the individual should they not consent to their geolocation and/or behaviours being tracked. You must also consult the ICO before you go ahead with processing that data.

If using vehicle trackers, you will need to have a document in place that states how they will be used and why you are using them and how long the data recorded will be kept for.

Does GDPR apply to CCTV recordings?

If using CCTV, you will need to have a document in place that states how it will be used and why you are using it and how long the recordings will be kept for. It is also important that you make note of how you plan to keep the recordings secure and what your employee’s responsibilities are in terms of CCTV. For example, limiting the access to CCTV recordings to a few key members of staff.

You will also need to have signs in place that let people know they are being recorded and you will need to register with the Information Commissioners Office (ICO).

For more information on GDPR, you can check the Information Commissioners Office website or refer your queries to your appointed Data Protection Officer.

Information Commissioner's Office

SME web hub – advice for all small organisations

What data are you processing in relation to your past, present and future employees?

Data that includes any information that helps you identify an employee will be collected. Examples of each of the types of data that will be collected are as below.

Personal Data would include data such as names, addresses, bank account details and/or online identifiers such as IP addresses and/or email addresses and phone numbers. Personal Data also covers data from systems such as CCTV.

Sensitive Personal Data would cover data including (but not limited to) race, religion or beliefs, sexual orientation, political affiliations, trade union memberships, physical / mental health or conditions and/or criminal records checks.

How do you keep your data secure?

You should review your security measures and update them where necessary. You should also set up processes for reviewing, documenting, and notifying breaches.

Ensuring your policies cover sections such as removing data from the office for things such as working from home, who can access the data, employees who use their own devices and how they interact with the use of an employer’s data is also important as you have then got measures in place that cover how your data is shared and processed.

What do you do in the event of a data breach?

The first thing to do is report the breach. Data breaches need to be reported within 72 hours to the Regulator. In some breach cases, the Regulator may require employers to report the breach to the individuals affected.

Does GPDR cover our old files that are still stored in our filing cabinets?

Yes, GDPR does also apply to historic files that are stored within manual systems such as filing cabinets.

As it may be difficult to obtain consent for this data, you will have to rely on the existing consent and process this data by consent or necessity in accordance with the GDPR regulations.

If you ignore historic files such as those stored in filing cabinets, there is a risk of you facing sanctions due to you retaining the files longer than was/is necessary.

How can I demonstrate compliance if challenged by the Regulator?

Within all your GDPR documents, you must take into account the data protection risks. To do this you can assess and implement the appropriate, technical and organisational measures from the outset and put mechanisms into place to ensure that for each purpose, only the personal data necessary is processed.

Completing a detailed Privacy Impact Assessment for high risk processing will also help demonstrate that you are GDPR compliant and throughout all your activities, creating and maintaining a record of the data you are processing will further demonstrate that you are complaint with GDPR regulations.

What do I do if I receive a complaint from the ICO?

The ICO will contact you explaining what they need. If you are aware of the complaint, you should keep records of all the relevant correspondence and the requested information. Where you need to release more information, do this as soon as possible and make the ICO aware.

The case officer dealing with the complaint may request for more information or evidence around your decision and you are required to provide the information unless there is a good reason not to release the information. However, you should be able to show why you have refused the request and inform the ICO of that decision.

Should you persistently refuse to cooperate, the ICO can issue an information notice which is legally binding and you will then legally be required to give them the information they require.

Can I tell our clients which of my employees have been vaccinated?

If collecting data on your employees’ vaccination status, you need to be clear on why you are recording that data and how you are recording it. There are different lawful basis’s that are available to you for sharing this type of information but as the data relates to your employees health, you will need to identify an additional condition for processing, either the employment or public health condition.

Confidentiality is the key to this, and you should make sure you are disclosing it for a defined reason. You should also tell your employees that you are sharing this data and why so they can exercise their information rights and object to their sharing of personal data in certain circumstances.

If an employee objects, you should consider whether the need to share the personal data overrides the interests of that employee.

Whilst Alcumus is not a Data Protection specialist, we have had many requests for guidance and understand that GDPR will overlap with some HR principles and practices. As such we are encouraging all clients to ensure their practices and policies are in place and updated to reflect GDPR requirements.

You are encouraged to read guidance in respect of your company’s GDPR processes from the Information Commissioners Office (ICO) at

Please note that Alcumus (which includes any and all of its group companies) are not data protection specialists (which includes (but is not limited to) GDPR, the Data Protection Act 1998 and the Data Protection Act 2018).

Data protection compliance is the sole responsibility of the client and any material provided by Alcumus and relied upon will be at the complete risk of the client. If in doubt, please seek advice from a suitably qualified data protection specialist in relation to the legislation.

Alcumus does not accept liability for any loss suffered (including but not limited to any financial loss) due to reliance on its material(s) and/or any policies or processes the client implements in respect of its data protection responsibilities.