Open Navigation


The GDPR is a complex piece of legislation designed to ensure maximum protection for personal data, meaning that achieving compliance can be difficult.

The GDPR may be regarded as a ‘sledgehammer to crack a nut’ by some – but it is a nut that needs cracking. Personal data has immense worth, as people are starting to realise, and can be to easily exploited. Unfortunately for smaller businesses the ‘one size fits all’ nature of the legislation is undoubtedly burdensome.

Employment Law advice relating to GDPR

The General Data Protection Regulation (GDPR) is arguably the most significant, and most ambitious piece of legislation to come out of the EU.  It was brought into force in England and Wales on the 25 May 2018 by the Data Protection Act 2018.

What does the GDPR require?

Like the Data Protection Act 1998 before it, the GDPR imposes a number of obligations on organisations that process personal data.  In order to understand those obligations it is important to understand the terminology referred to.

Processing is essentially any act performed on personal data, the definition captures everything that one might do with data, including: collecting, recording, organising, storing using, manipulating, disclosing, disseminating and even deleting or destroying the data.  Basically anything that an organisation does with data that identifies a person (data subject) is “processing”.

Personal Data is information relating to an identified (or identifiable) natural person (a Data Subject).  It includes information which alone or in combination with other information (that the controller has or can access) directly or indirectly identifies a data subject.  Essentially anything about a person.

Sensitive Personal Data is data which is more sensitive or private – it includes information about racial or ethnic origin, health, sex life, sexual orientation, political opinions, religious and philosophical beliefs, trade union membership and genetic and biometric data.

Data Controller a data controller is the entity that controls the personal data about the data subject and makes decisions about that data, ie how to use it.  Most organisations will be a data controller or some, although perhaps not all, of the personal data it comes into contact with.

Data Processor a data processor processes personal data on behalf of a data controller.  So, an organisation offering translation services will normally be a data processor in relation to the information provided to it to translate by the data controller.  A data processor does not decide what to do with the data, ie it does not control decisions in relation to the data, it merely undertakes actions on the instructions of the data controller.

The GDPR requires organisations to protect data, it encourages responsible treatment of personal data through a few key principles, back with the threat of some pretty hefty penalties.

Key Principles

  • To collect and process data fairly and lawfully
  • To inform data subjects about the type of data held and how it is to be used
  • To only use data for the purpose it is being collected
  • To keep data up to date
  • To retain data for no longer than necessary
  • To have appropriate security measures in place
  • To provide data subjects with their rights under the legislation, for example the rights to access the data, to correct it, to request that it is erased
  • To ensure compliance with restrictions on cross boarder transfers
  • To be able to demonstrate compliance.

The lawful basis for processing personal data are limited to those specified in the legislation.  Whether personal data can be lawfully processed will depend on a number of factors, including why the data was obtained in the first instance, what the data subject was told the data would be used for and whether the controller meets one of the criteria for lawful processing.  The requirements for processing Sensitive Personal Data are more stringent – and consent is likely to be required.

Potential Penalties

The potential fines under the GDPR are significantly higher than they were under the Data Protection Act 1998.  Whereas under the DPA the maximum fine was £500,000, under the GDPR administrative fines can be up to 4% of global annual turnover (or 20 million Euro, whichever is greater).

Irrespective of the fines, given the political and medial focus on data protection, a data breach could have catastrophic consequences for a the reputation of the business.

In summary

If you don’t need the data it, don’t get it.  If you do need it and you do get it, make sure the data subject knows what you are going to do with it and consents if necessary, and then…… guard it with your life!


Spotlight on APAC Series: China

In our spotlight on APAC series, we round up the latest immigration changes from across Asia Pacific. In this post, we take a look at the inaugural five-year permit for non-Chinese permanent residents (PRs) of Hong Kong and Macau to enter Mainland China. In line with the visa free schemes introduced across 15 countries for…

Read More

“Fire and Re-hire” Code of Practice comes into force

Last week, on 18 July 2024, the Department of Business and Trade published a new Code of Practice on Dismissal and Re-engagement, more commonly known as fire and re-hire. Employers can contemplate the practice of fire and re-hire when making changes to employees’ contracts, usually for strategic business reasons. The preferred and least risky way…

Read More

Spotlight on APAC Series: Singapore

In our spotlight on APAC series, we round up the latest developments across Asia Pacific. In this post, we look at the impending Workplace Fairness Legislation (WFL), as well as the Flexible Work Arrangement (FWA) expected to roll out in December 2024.   Singapore The upcoming Workplace Fairness Legislation (WFL) in Singapore, expected in the second…

Read More