Under GDPR, employers may need to re-think their entire policy regarding storing staff’s data.

In a nutshell, employers must be transparent, and only hold data if is essential they do so. And there is one key point to bear in mind. The relationship between employer and employee is not asymmetrical, but GDPR rules are designed to protect staff from feeling they have no choice but to sign away permission to their boss to do whatever he/she wants.

The General Data Protection Regulation is coming into force on May 25th 2018. And the fines dished out to companies that do not comply can be heavy indeed – 4 per cent of turnover or 20 million euros.

It may seem as if there is an easy fix for employers – get staff to agree to their employer holding their data. But, as the ICO, the regulator charged with overseeing data protection rules in the UK said: “if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing. This may be the case if, for example, you are in a position of power over the individual – for example if you are a public authority or an employer processing employee data”.

In other words, staff have to be given a genuine choice when agreeing to the use and storage of their data.

The employer needs to follow certain procedures and be:

  • Concise in the way it seeks permission to hold data.
  • Transparent, so that the employer knows what data is held and why.
  • Intelligible, so that any permission is not, for example, wrapped up in legalise to disguise the key issues
  • Easy to access – data that is held and permission granted has to be easily available to staff
  • Distinct from other arrangements from the data subject.
  • Written in clear precise language.


Following those tips is a good start.

However, things don’t always go to plan. Employers and employees can fallout. An en employer may take umbrage to certain data being held. To protect itself, a company needs to focus on the amount of data held, the extent of the data and the time frame in which it is held.

The key here relates to only holding data when, and to the extent, it is necessary.

The ICO says “If you are processing employee data… you should look for another basis for processing such as….legitimate interests.”