GDPR: Top 10 Questions & Answers

Napthens - November 24th 2017

1.  Are there any specific clauses I should add to employment contracts to ensure I am compliant with holding data from a GDPR perspective?

Commentary even prior to the GDPR suggested that relying on consent to process employee data was not recommended. The concern of relying on consent as the grounds for processing in the employment context, is mainly driven by the question as to how genuine consent can be where there is inequality in “power” between the parties - e.g. the employee may feel under duress to consent or s/he may lose his/her job.

Another point to note if you are relying on consent going forward, then the ICO recommends amongst other points:

  • Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
  • Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
  • Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
  • Consent should be obvious and require a positive action to opt in.
  • Explicit consent must be expressly confirmed in words, rather than by any other positive action.
  • There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

Going forward, the grounds for processing many types of personal data in the employee context will be based on a “legitimate interest argument.” For this, the employer would be wise to document and provide a privacy notice to the employee(s) setting out the basis of the processing for the specific data in question, detailing why it believes a legitimate interest exists.

2.  Can employment contracts have GDPR compliance written into them? i.e. consequences of leaving customer info lying around.

No - you can’t have GDPR compliance written into them.  To ensure compliance a multi-pronged approach of reviewing many HR policies/documents will be needed including appropriate training for staff.

However, turning specifically to the point of wanting to reprimand the employee for his/her action of leaving confidential information lying around; to place the organisation in the best position possible in dealing with this scenario would be to review its:

  • confidentiality/clear desk policy, and
  • considering breach of confidentiality (if not already provided for in the handbook/policy) as a misconduct trigger in any disciplinary policy

3. Do you have to keep records of Subject Access Requests and timescale copies of your replies?

It is certainly good practice to document what you have done, as evidence should any claim be brought that you haven’t complied with your obligations – this is all part of the requirement to be able to demonstrate compliance.

In the event that an individual refers to an alleged breach as part of a potential claim (in the Employment Tribunal, with the ICO or otherwise) at this juncture we would recommend keeping these records for no longer than 6 years, but long enough to be confident that there isn’t a claim (the most risk averse time period would be to keep them for 6 years).

4.  How are the ICO fine amounts decided upon?

At present, the ICO look at the nature of the breach, whether it was intentional, negligent or accidental, past compliance records and how cooperative the organisation was (and what they did to prevent future breaches). Going forward we do not expect to simply see a pro-rata increase in fines, but obviously the worst case offenders are going to be hit much harder.

5.  Can former employees make retrospective requests?

Subject access requests are available to everyone, and not just employees. Therefore a data subject can make a request if they suspect any organisation holds data on them – whether they are a previous employer or otherwise.

We would suggest that any policies on retention on employee data is made clear and shared with individuals i.e. all employee records will be deleted after  XX years. That way if a request is subsequently submitted after this date, you have a clear rationale for no longer being in receipt of this data.

6.  Is a SAR any different for an employee or a customer?

There is no difference between a SAR for an employee and a SAR for a customer. They are both a request to access their personal data.

Your response to a SAR needs to cover:

  • Purpose of processing
  • Categories of personal data processed
  • Recipients or categories of recipients who receive personal data from the data controller i.e. payroll provider, pension provider etc. and in particular if the recipient is outside the EEA
  • Retention rules of the organisation over their personal data
  • Where the personal data has come from if not collected directly
  • Whether or not there are any automated decision making procedures and if so the consequences of this for the data subject
  • The rights to correction, erasure, restriction and objection and making complaints to the ICO

From the above, you will recognise that a response to the SAR is likely to differ significantly as the categories of personal data you hold and the reasons for processing that data, are likely to be different particularly given the employees integration in the business.

7.  I've started receiving communications from companies asking me to 'opt in' to marketing contact - obviously in preparation for GDPR. Is this legally allowed?

This will vary on a case by case basis. If you have consented previously to an organisation and have engaged in their marketing material recently, then they may argue that there is currently an ongoing relationship and it is appropriate for them to check that this is still of interest within a reasonable period of time. If however the marketing contact has ceased for 6 months or more and you receive an email out of the blue, or you have unsubscribed from the material and they are still sending you emails, then there may be a potential breach.

8.  Can the ICO request your audit information as well as compliance documentation?

The ICO can ask for anything … but they may not be entitled to receive it! It depends on the nature of the request, and each one will depend on the facts. However, as a general rule of thumb, it is better to be co-operative than not when they come knocking at the door to minimise any enforcement action.

9.  Just having previous consent doesn't mean you have consent forever. Always best to set a policy to advise when you will renew it. How often would you recommend?

It depends on the nature of the processing, for example an annual ‘budget day’ newsletter is unlikely to need to be updated every year, whereas it may be appropriate for other newsletters.

Most mailing systems now can monitor read and unread emails, and so best practice would be to unsubscribe data subjects if they have not opened your emails for a prolonged period. This varies as to the nature of the processing, but we have clients who unsubscribe you from their monthly bulletins if you haven’t opened the previous three.

10.  Is opting in to marketing contact non-compliant from May 18?

Opting in is essentially giving consent, so it depends on how it is done. Because consent from May will face a higher test, there is much discussion about using the legitimate interests basis, especially around existing customers (the soft-opt in) which is different to consent, and cannot be withdrawn as easily (but can be objected to). A good opt-in form will be compliant.

Please note: All scenarios are based on their own specific facts, and although we have provided general responses, the answers can not be considered as legal advice.

For more information, please contact our GDPR specialists on 01772 888 444 or by email to