Knowledge Hub
for Growth

Your business guide to GDPR compliance

Since GDPR was introduced on 25 May 2018, many of our corporate and commercial clients have asked us for informal advice on how to comply. In this guide we discuss how compliance with GDPR relates to your B2B and B2C contracts, internal processes, and sales and marketing activity.

What is personal data?

You will probably be aware by now that the GDPR applies to all processing of personal data, being any data which identifies an individual, either on its own or when combined with other data the data controller has or which may come into its possession. The GDPR states that clear, freely given consent where a data subject ‘opts in’ to their data being processed or another lawful basis must be relied upon to lawfully process personal data (see our Data Protection FAQs for more details). The GDPR is also clear that ‘personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means’. This should be noted in respect of all processing of personal data.

What are the main issues to consider relating to business-to-business (B2B) contracts and the GDPR?

The main issues for how your business handles B2B contracts are as follows:

  • B2B contracts involving the processing of personal data might include outsourcing and services contracts if a supplier is processing data for its client (the data controller). The supplier would be considered the data processor. The GDPR now also imposes direct legal obligations on the data processor as well as the data controller and contracts should now reflect this and parties should be aware of it. If you have not already done so, you should review and revise your business’s contract templates for services involving personal data being processed so that all the GDPR’s requirements are being met. A data processing agreement would achieve this.
  • The GDPR permeates different areas of business. Your business may already be compliant in some areas, such as confidentiality, but not others and so you will need to review all policies and procedures linked in any way with data processing to ensure that you are fully compliant.
  • One of the requirements imposed by the GDPR is a restriction on the processor to engage a sub-processor without the data controller’s prior written consent. These new obligations will likely make negotiation of data processing service contracts more complex and slow (as the data controller will need to ensure that any contract with a sub-processor includes provision for the sub-processor to delete personal data on termination of the parties’ agreement, that the sub-processor would assist with any data subject rights request or proof of compliance and advise the data controller immediately if the sub-processor believes the data controller to be in breach of its obligations under the GDPR). This is also likely to result in an increase in costs of data processing services, as processors may need to implement more robust systems to meet the GDPR’s more stringent requirements.
  • You will need to identify all service providers or other third parties who may receive, access, obtain, or store personal data governed by the GDPR to ensure that any contracts with those parties have been updated to reflect the GDPR and that in reality the provisions of the GDPR are being observed in full.
  • If there are gaps in existing contracts, a plan to fill those gaps will need to be considered and implemented quickly. In particular, you will want to review what personal data the processor has, for how long they hold that data and why. You will need to ensure that the data processor has adequate security for the personal data being processed and will need to list the data controller’s rights and obligations and that the data processor only has the right to act in respect of that personal data on the data controller’s specific written instruction.
  • There may be ‘joint controllers’ in some B2B contracts (for example, supplier and distributor or franchisor and franchisee). In this case both data controllers are responsible for GDPR compliance and a data subject can exercise its rights against either data controller. An example of this may not be obvious, such as notice clauses providing a specific name and email address for both businesses to a contract to use for certain communications. As these include an individual’s details this is personal data and so both parties are likely to be controllers in this instance.

What are the main issues you need to consider relating to Business-to-consumer (B2C) contracts and the GDPR?

Your business will need to consider and possibly change several elements of your B2C contracts. Unsurprisingly, there are more stringent regulations relating to business-to-consumer (B2C) contracts. Regulations relating to transparency, consent, direct marketing and privacy notices in particular are worth noting.

The obligations under both the E-Privacy Regulation and the GDPR and interaction between the two is also critical and is set out in What is the E-privacy Regulation and what do I need to do to comply with it? section, below.

Should you change your corporate processes as a result of the introduction of the GDPR and if so, how?

There are several ways in which it would be advisable to consider changing your business’ corporate processes, as a result of changes to data protection legislation. Here are some operational processes you will need to review:

Data Protection by Design and by DefaultTechnical and organisational measures, like pseudonymisation should be used by the data controller to ensure that, by default, only personal data which is necessary for each specific purpose is processed and it is retained only while required, in compliance with the data protection principles. Controllers may use approved codes of conduct or certification schemes to demonstrate compliance with this obligation, but these are not mandatory.

The data protection principles must be built into your business’ products, services, internal processes, and third-party relationships from the outset, moving forward. For example, when introducing a new product or service, consider the data protection and privacy implications by questioning these aspects and including them in development plans. You should consider impact on data subjects, their perspective, interests, fundamental rights, and freedoms, what data needs to be provided and what can be reduced, as well as measures to best guarantee data security.

You should ensure that staff are well trained in respect of data protection (including developers, engineers and others who develop products and services, human resources, marketing managers and others who help develop the businesses internal processes and procurement managers involved with purchasing third-party products that use personal data collected by the company). Where possible, across your corporate policies, you may wish to encourage staff to remove data which identifies specific individuals.
Data Protection Impact Assessments (DPIAs)Specific data protection impact statements must now be conducted by businesses whenever processing personal data is likely to present a high risk to a person’s rights and freedoms (including rights to liberty, conscience and religion and freedom of speech, thought and movement).

You will need to have in place policies or measures to decide when DPIAs will be required, and employees should be fully trained in its implementation. According to the Data Protection Working Party Guidelines, a DPIA should be carried out if processing involves at least two of the below, but if there is a high risk relating to just one of these factors it may still be advisable to carry out a DPIA:

  • Any data processing involving vulnerable data subjects (for example, children)

  • Special category data processing (such as data about an individual’s health)

  • Large scale data processing (for example, a nationwide marketing campaign targeting hundreds of customers would represent a higher risk than if only a few local customers were targeted)

  • Combining or matching sets of data, particularly if this is unlikely to be expected by data subjects

  • Automated decision making (for example, profiling which could lead to discrimination)

  • New technologies used by the data controller for collecting and using the data

  • Systematic monitoring (such as smart meters)

  • Evaluation or scoring (for example, scoring customers on their credit rating)

  • Processing which prevents an individual from exercising a right or using a service (such as an insurance company processing data to calculate premiums and decide on whether it can insure an individual)

  • Even if two of the above processing criteria exist, if the processing is unlikely to result in a high risk and the reasons for not undertaking a DPIA are in writing, you do not have to carry out a DPIA.

    The GDPR also requires the ICO to publish those areas of processing in which it considers a DPIA is required. The ICO’s list is below:

  • New technologies or new ways of applying existing technologies to process data

  • Denial of a product, service, opportunity or benefit because of automated decision-making or the processing of special category dataLarge-scale profiling

  • Processing involving biometric data

  • Processing involving genetic data (other than processed by a health professional for the provision of healthcare to the data subject)

  • Data matching

  • Invisible processing (where personal data has not come directly from the data subject and the data controller has not complied with the GDPR by giving the required information to the data subject in this circumstance as they believe this would be impossible or a disproportionate effort)

  • Processing involving tracking an individual’s geolocation or behaviour

  • Targeting of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making or where online services are being offered directly to children

  • Processing involving the risk of physical harm to individuals

    It would be prudent to consider both of the above lists in any policy you introduce relating to DPIAs.

    Any policy relating to DPIAs should define and attribute specific roles and responsibilities; should include any advice from the business’s DPO or other staff responsible for privacy or data subjects where appropriate and consultation with any third-party processor. Such a policy should be reviewed regularly and should advise of the process to follow if the DPIA identifies residual high risks after considering available protection measures (such as how mandatory prior consultation with the ICO will be carried out). Further, considering other options and not pursuing processing which may result in high risks to avoid starting a mandatory prior consultation might be a suggestion to add to your policy. If you require further advice on data breach notification requirements or mandatory prior consultation, our specialist data protection lawyers can help.
  • Privacy noticesEnsure that your previously drafted privacy notices are altered to reflect new personal data and special category data definitions, both definitions were widened under the GDPR (for example ‘location data’ is now included within the scope of personal data and ‘genetic data’ is now included as special category data, under the GDPR).  

    If data falls within the definitions covered by the GDPR a privacy notice will need to be provided to a data subject when or before personal data is collected if being collected directly from the data subject or if obtained by a third party and before contacting the data subject. Otherwise a privacy notice should be provided to the data subject within a reasonable time (maximum of one month) after receipt of the personal data by a third party and also before disclosing data received from a third party to another third party.

    If you have not done so already you will need to regularly review your privacy notices to ensure that they are sufficiently transparent, which includes:

  • A business providing the data subject with the data controller’s name and contact details, and the name(s) of any specific third party who may receive the personal data

  • The legal basis for and purpose of processing

  • Whether automated decision making (including profiling) is used, how this works and consequences for the data subject

  • Disclosure of any potential cross-border transfer and how this will be legally completed

  • How long the data will be retained

  • Consequences of not providing the data controller with the data

  • The data subject’s rights

  • Being clear, concise, easily accessible and in writing unless the data subject has requested otherwise and the details of this request has been carefully recorded.

  • For further reading, we have created a handy guide on how to write a GDPR compliant privacy policy.

    Under the GDPR you will also need to provide a data subject with any information you receive about them from a third party (unless there is an exemption). In this situation your privacy notice to the data subject will need to include all of the above but also describe the personal data categories and where you received the personal data from.

    It is important under the GDPR to demonstrate compliance and therefore all privacy notices or evidence of them should be securely stored and policies should make clear that where possible anything relating to GDPR compliance, throughout the duration of collecting and processing the data, is written down.
    Obtaining consent for data processingYou may not wish to rely solely on consent for lawfulness of processing, but where this is required, one of the more publicised changes under the GDPR has been that pre-ticked boxes are no longer acceptable when attempting to secure consent for data processing. There must be an ‘opt in’ or consent cemented using some type of declaration for consent to be lawful.  

    Accountability is a new obligation placed on data controllers under the GDPR and means there is greater responsibility for keeping records of how and when consent is given by a data subject. Also, individuals do now have the right to withdraw their consent at any time.

    The ICO has made clear that businesses will not be required to get fresh consent from an individual if the standard of that consent meets the new requirement under the GDPR, but not for example, if tick boxes have been used, which were previously acceptable under the DPA 1998 but would now fall short of the requirements.
    Data security processesIf you have not done so since the introduction of the GDPR, it would be advisable to carry out an audit of your business’s technical and organisational measures relating to personal data security. You can then compare the GDPR’s requirements and where necessary that you put into place an action plan to ensure that you are fully complying.

    If you do not have a clear written data protection and security policy or procedure which employees are aware of and follow, it would be a good time to get one drafted. Alternatively, if you already have a policy ensure that this has been fully updated since the introduction of the GDPR. Our GDPR solicitors can help with this drafting or updating.

    It is critical that as part of any data security policy or process that you are now able to demonstrate ‘resiliency’ in your data security risk assessments as a separate head, even if this is mentioned in other areas of the risk assessment. This helps a business to demonstrate compliance with its accountability obligations under the GDPR.

    What is the E-privacy Regulation and what do you need to do to comply with it?

    The E-privacy Directive 2002 (implemented as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) in the UK) is under review and the draft E-privacy Regulation covers far more including WhatsApp, Facebook messenger, Skype, Gmail, iMessage and Viber, whereas previously only traditional internet and telecommunications service providers were included. The reasoning for the wider scope is to:

    • Clarify electronic direct marketing rules
    • Clarify rules on metadata
    • Improve confidentiality in security and communication
    • Clarify rules on tracking technologies (such as cookies)
    • Harmonise EU member states in this area

    Whilst the new E-privacy Directive continues to be negotiated, the PECR (as amended by the GDPR) continues to apply in the UK and we advise you to check back here for updates to stay compliant in this fast-moving area of law. The ePrivacy Regulation is not likely to come into force until 2023.

    What additional issues do you need to consider on the sale or purchase of a business relating to data protection under the GDPR?

    Due diligence and warranties are key GDPR issues if you are buying or selling a business. Here’s how:

    Due diligence

    • On the sale of a business there are joint controllers in respect of personal data and special category data (for example, employee details) transferred to a buyer of a business from a seller, and so both parties will be required to comply with the GDPR. Businesses may wish to attempt to avoid this regulation through anonymisation or pseudonymisation of personal data. Interestingly, the explicit introduction of pseudonymisation is referred to in the GDPR on 12 occasions. This emphasis should not be ignored and you may want to consider this avenue to safeguard personal data, among your existing safeguards, but will need to tread carefully.
    • If the above techniques are not used, parties to a transaction must rely on consent from data subjects (which is difficult as this is unlikely to be freely given under the circumstances) or would need another lawful basis for processing the data. This may be easier in some areas than others: for example, the Transfer of Undertakings (Protection of Employment) Regulations (TUPE) provides parties with a lawful basis for processing as it is necessary to comply with legal obligations to provide a buyer with certain employee details to a seller before an asset purchase of a business. In other areas and when businesses are acquired by share purchase, the seller would have to ensure employee or customer privacy notices refer to the prospect of future processing for the purposes of a business sale and that the legitimate interests of the controller are weighed against the rights and freedoms of the data subject before any data is transferred to the buyer or its agents. If selling by way of asset sale, both the seller and buyer should inform the individuals about the disclosure and receipt of personal data.
    • Due diligence should include requests by the buyer for all information and policy documents relating to the seller’s compliance or non-compliance with data protection legislation in general and the warranties more specifically, as expanded upon below.


    As a bare minimum a buyer will want the following assurances relating to data protection from a seller in the sale and purchase documents:

    • Compliance with all data protection legislation including data maps of all its processing activities and a warranty stating that privacy notices have been issued to all data subjects
    • There have been no notices received by the seller about any claims relating to data protection legislation and the seller is not under investigation by the ICO
    • That robust technical and organisational measures are in place to ensure personal data security
    • If any processors have been appointed to act on the seller’s behalf, the third party concerned has complied with the GDPR
    • The seller has an adequate data breach response plan in place

    What additional issues do you need to consider on the sale or purchase of a database relating to data protection under the GDPR?

    Buying and selling databases has considerable GDPR ramifications:

    • If you sell a database, you and the buyer will be processing the data stored within the database. This also applies when you licence a database because the licensee becomes a data controller in respect of the data. There is an obligation in this case for the data subject to be advised that their personal data is being transferred to the buyer or licensee, usually by way of a ‘fair processing notice’. If one party is responsible for this, it is important that the purchase agreement includes a warranty ensuring the party will fulfil this obligation. Upon this change in data controller, you should also notify the ICO within 28 days of the transfer.
    • If you buy personal data from another organisation, you must provide people with your own transparency information detailing anything that they haven’t already been told. Where the sale of the data is not part of the sale of a business it is better practice to rely on consent for lawfulness of processing and you should ensure the data protection principles are respected. This means that data cannot be sold if the sale would be incompatible with the original purpose specified to the individual when collected. You are therefore advised to inform individuals that the information you are collecting may be sold or licensed in the future or, where the original purpose communicated did not provide for future sale, seek the individuals’ consent by re-issuing them with a privacy notice informing them of the sale, within a reasonable period of time.
    • Similarly to above on the sale of a business, the buyer will need warranties in respect of data protection. A buyer is likely to request the following warranties from a seller of a database: that data protection law has been complied with in all respects by the seller; that all of the information is accurate and up-to-date; that the seller is entitled to transfer the database to the buyer; the seller, and so in turn the buyer on transfer, is entitled to use the database for the purpose it intends to use it; that the seller has no notice of any claims/complaints by data subjects of the database and has received no notice of non-compliance or investigation by the ICO.
    • When selling a database, as with any personal data transfer you must ensure that the transfer is completed securely, and measures are taken to protect the data from accidental loss, damage and theft. If you are buying the database, you should check the details of data on the database to ensure it is not excessive or unnecessary with respect to the purpose for which you require the data.

    What do you need to know about the GDPR and marketing?

    Direct marketing is defined as ‘the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals’. Anything which contains a marketing message, even if that was not the main purpose of your material, is direct marketing. If you call an existing customer to discuss their current order, and mention a sale on another product, this would be direct marketing.

    If you fail to get proper consent, you could face a large fine, as one finance firm recently found out, facing a fine of £30,000 for sending 65,000 spam texts in under four months.

    Consent needs to be:

    • Freely given – you can’t state that consent is needed to use your services
    • Specific – to the type of marketing communication
    • Informed – the individual needs to know the consent they’re giving
    • A proven sign of agreement – there needs to be a positive expression of choice

    The easiest method of getting consent (especially online) is by using an opt-in tick box. Ideally, a separate tick box should also be used for each type of online marketing you intend to send out, for example, by post, email, telephone or text message.

    You should keep records of anyone who consents to receiving marketing materials, which should include:

    • Date of consent
    • Method of consent
    • Who was given the consent
    • What communication they have consented to
    • Exactly what information was provided by the person consenting

    It’s also important to keep records of anyone who opts out of marketing – which is known as ‘suppression’. You should record enough details to make sure that their preferences are remembered for any future promotions.

    If you’re looking at buying third party consent, prior consent to the third party may not be sufficient for you to contact an individual directly, and so where possible your business should be specifically named in the consent where you do not have direct consent. You should further protect your business by:

    • Asking to see records of how and when the consent was given and what the customer was told.
    • Cross-reference people’s details with those in your current records to make sure they don’t receive the same message twice
    • Cross-reference people’s details with your suppression records

    There are several examples of recent case law relating to third party marketing which are worth noting:

    • Businesses that use and rely on third party marketing lists should take note of a First-tier Tribunal (Information Rights) decision relating to breach of the Privacy and Electronic Communications Regulations 2003. The tribunal upheld the ICO enforcement notice requiring a company to stop sending unsolicited marketing texts to individuals whose details were obtained under data supplier agreements. The company used personal data provided by several suppliers to send text messages to individuals, without their prior consent, marketing its laser eye surgery. The ICO received 7506 complaints from individuals about this. This decision serves as a reminder that third party marketing lists must be treated with great caution and the business buying or renting the list must make rigorous checks before relying on them. It also reinforces the need for businesses to inform individuals who their personal data will be shared with and for what purposes, and to obtain prior consent in relation to email and text marketing.
    • The ICO has also recently issued a record monetary penalty notice of £200,000 to a company for making automated marketing calls without the recipients’ prior consent. The company made or instigated over six million calls as part of a massive automated call marketing campaign offering ‘free’ solar panels. In just over two months (from October to December 2014) the ICO received 242 complaints from recipients. When assessing the level of the penalty, the ICO also took into account that the company did not identify themselves, nor provide an address or freephone contact number.
    • In a recent case, the ICO has fined an online pharmacy £130,000 for selling details of 21,500 customers (without their informed consent) to third parties. The penalty is the first of its type to be issued for a breach of the first data protection principle, regarding fair and lawful processing of personal data. The company collected personal details through its customer registration process and, when registering, customers could untick a pre-ticked box to indicate they did not wish to receive marketing emails. However, extra optional click-throughs were required to access the company’s privacy policy, which explained that to opt out of personal data being shared with third parties, customers had to log into their account and change their settings. Businesses must provide clear information, in a prominent position, to customers as to how their data will be used and who it will be shared with. They must also provide customers with a simple way in which to easily express their preferences in relation to the use of their personal data.

    The rules relating to marketing and data protection are dependent on who the recipient of the marketing is – individuals (consumers, sole traders and partnerships in the UK) or corporate subscribers (limited companies, limited partnerships and public bodies).

    Here is what consent your business needs under GDPR to market to different audiences:

    Marketing typeIndividuals (B2C)Corporate (B2B) Third party marketing lists
    Emails, texts, voicemail, video and picture messagesPrior consent is required and must be given to the sender, apart from in some existing commercial relationships for similar goods or services where individuals must be given an opportunity to opt out of direct marketing at the same time as their data is being collected. If the individual chooses not to opt out on that occasion every subsequent email must provide the option to unsubscribe. The identity of the sender must be contained in each message.Prior consent is not required and no opt out rights. (However, the ICO does recommend as best practice a list of those entities who have objected to marketing communications and that each email offers the right to unsubscribe. Most businesses are likely to take this on board so as not to irritate those who are not interested or waste time marketing to those entities). Having said this, as stated above, email addresses with individual names or identifying features do have rights under the GDPR including the right to object to processing of their data. The sender’s identity must be contained in all messages.As prior consent must be given to the sender you must take particular care when buying or renting marketing lists. The ICO states that indirect consent given to a third party may not be sufficient and so it is best practice to get consent directly or only contact corporate subscribers in respect of this marketing type. The ICO does accept that indirect consent might be valid in some circumstances, if it is clear and specific enough, for example if that organisation was specifically named. When using third party lists for this type of marketing, the buyer should seek proof of opt-in consent given to the seller specifically naming the buyer.

    There is no ‘soft opt in’.
    Automated calls (a way of automatically making several calls to more than one place in line with instructions in that system transmitting sounds which aren’t live speech received by people at some or all of the places called).Prior consent is required and the caller must always identify themselves and provide an address and freephone contact number.Prior consent is required and the caller must always identify themselves and provide an address and freephone contact number.Prior consent must be given to the caller, so businesses must take care when using marketing lists they have bought. Any third parties who rely on consent for bought-in lists must be specifically named. The caller of the automated calls must display their telephone number.
    Live telephone callsPrior consent is not required but individuals can opt out and contacting an individual after they have done so is unlawful. It is a legal requirement for businesses to check against the telephone preference service. Companies, charities, voluntary organisations and political parties must not make unsolicited calls to numbers that are registered on the TPS, unless the individual has specifically told them they can call or during the 28 day registration period unless there was an opt-out request to a particular caller already in place. Consent can be withdrawn by individuals at any time. The caller must identify themselves and, if requested, provide a contact address or freephone number.Prior consent is not required but corporations can opt out. It is a legal requirement for businesses to check against the corporate telephone preference service (CTPS). Companies, charities, voluntary organisations and political parties must not make unsolicited calls to numbers that are registered on the CTPS, unless the corporate subscriber has specifically told them they can call or during the 28 day registration period unless there was an opt-out request to a particular caller already in place. Consent can be withdrawn by corporate subscribers at any time. The caller must identify themselves and, if requested, provide a contact address or freephone number.If using a subcontracted call centre, the subcontractor’s call centre staff must identify the organisation on whose behalf they are making the call. The caller of marketing calls must show their telephone number.
    FacsimilePrior consent is required, there is a Corporate Fax Preference Service (CFPS) and a right to opt-out. The caller must identify themselves and provide an address or freephone number.Prior consent is not required, but corporate subscribers can opt-out or withdraw consent at any time. It is a legal requirement to screen against the CFPS. Companies, charities, voluntary organisations and political parties must not send unsolicited faxes to numbers registered on the FPS corporate recipients without specific consent. Faxes can be sent during the 28-day registration period unless an opt-out request has also been made to the sender. The caller must identify themselves and provide an address or freephone number.Prior consent must be given to the sender and so businesses should be particularly careful not to fall foul of data protection legislation when buying third party marketing lists.
    Post (All data protection principles must be complied with but particularly the first data protection principle as the personal data must have been obtained fairly and there must be a lawful basis).There is a right to opt-out and a voluntary Mail Preference Service provided by the Direct Marketing Agency, which it is good practice to screen against, but not a legal obligation.Post can be sent to corporate subscribers, but individual employees can object. 

    What do you need to consider in respect of employee personal data and the GDPR?

    Employers must properly protect their employees’ personal data, ensuring that it is secure from damage, loss, unauthorised access or theft. You must be otherwise fully GDPR compliant with freely given consent from employees for the specific purpose(s) the data is being held for (or an alternative lawful means of processing) and that it is not held for any longer than is necessary for that purpose. You should also ensure employees are aware of their duties under data protection law. You should look particularly closely at the following areas of employment in your business to ensure compliance with data protection legislation:

    Recruitment and selectionIt is important that a potential job candidate is aware you will be processing the personal data they provide. This is particularly important if you recruit through an agency, as the potential job candidate will need to know that the information provided to the agency will be processed by you. You will need clear privacy policies and to make these available to the candidates and make them aware of how and where their personal data will be stored and make clear that this data will only be used for recruitment purposes. You should also inform interviewers and any other of your staff members who will come into contact with information and personal data recorded during the interview, how to store it. Once a reasonable time has passed, this information should be destroyed properly and within one month of a candidate’s request under the GDPR. When requesting details about criminal convictions, you should consider whether you can limit details you request. If your application procedure is online, you should consider data security and possibly encryption-based software.
    Employment recordsTaking into account that the GDPR advises personal data should be relevant and adequate to meet specific stated purposes, employers must set time limits for retaining certain records and should review processes and information collected and retained at regular intervals to check that the information being collected is necessary. The GDPR distinguishes absence records from sickness records, as absence records will state the length of absence and may only state the reason for absence which may be ‘sickness’ but will not go into specific details. Whereas sickness records will contain any doctor letters and specific medical details relating to the sickness absence and so should not be accessed unless necessary as this is special category data, unlike absence records.
    Monitoring at workEmployers often seek to monitor:

  • Email content and traffic, internet use and specifically websites visited and length of use, telephone use in terms of volume, cost and sometimes content where calls are recorded to review employee performance, ensure consistency and maintain quality control and ensure no unlawful acts are carried out where there are strict regulatory requirements. This may be by way of spot checks without reference to particular individuals, just mentioning sites visited, frequency of visits and number or length of emails or calls, specific checks on individuals, or monitoring the content of calls or emails, of individuals or at random. Different compliance measures and processes will be required for each of these scenarios.

  • Using CCTV and video surveillance, which is lawful in an employer’s workplace and the surrounding areas and may be, amongst other things, to monitor specific employee performance and ensure there is no negligence, breach of contract or acting outside their authority, discrimination, harassment, or any intellectual property infringements or divulging trade secrets. A CCTV policy may confirm the boundaries.

    You will need to ensure that you have carried out thorough data protection impact assessments in advance of monitoring employees, considering carefully what is being monitored, why and whether the monitoring is justified and cannot be done in any less intrusive manner and that you have made employees aware that they may be monitored. You should always consider the impact of the right to privacy under Article 8 of the European Convention on Human Rights: our Employers’ guide: monitoring employees in the workplace may help. An electronic communications policy issued to staff and making clear what is and is not acceptable in terms of electronic communications is also helpful.
  • Employee health informationThis amounts to ‘special category data’ under the GDPR and obtaining a medical report amounts to processing. Such data should not be processed unless there is a lawful ground for processing under Article 9 of the GDPR. Previously, it was seen as necessary to seek an employee’s specific consent to disclosure of a medical report, but under the new data protection legislation framework including the GDPR, consent should not be relied on in the employment context due to the imbalance of power between the parties. Instead of relying on consent, employers need to look to one of the other grounds in the GDPR, read together with the DPA 2018, for lawful processing of special category data. Schedule 1(1) of the new Data Protection Act 2018 (DPA) provides that processing will be lawful where it is necessary for the performance of rights and obligations in connection with employment and is a helpful provision for employers in this kind of situation. Under the DPA 2018, it is an offence for the employer to require an employee to produce a ‘relevant health record’ in connection with their recruitment or continued employment by that employer or on a contractor providing services to a business.  

    You may find Part 4 to the ICO’s Employment Practices Code a useful guide, even though it has not been updated since the introduction of the GDPR – as, aside from provisions relating to employee consent, there have not been many significant changes in this area. This Code outlines what should be considered before collecting employee health information (such as a policy being introduced setting out when and how medical examinations will occur and how any information collected will be stored and used, which employees will be issued with and trained in respect of, even as early as the recruitment stage). It also considers what is necessary and justified to prevent significant health and safety risks to others at work, determine whether a staff member is fit to carry out their work, or fit to return to work, determine whether a staff member is entitled to claim certain health-related work benefits and to comply with legal obligations (for example, to make reasonable adjustments for pregnant or disabled employees).
    Employees as data subjectsThe GDPR has widened individuals’ rights, as data subjects – this includes employees whose personal data is being processed by employers, they now have the following rights:  

  • The right to be informed (whether data is being collected and processed, where and what that data is, as well as transparency over how the data will be used, and how long it will be kept for, sometimes referred to as ‘fair processing information’)

  • The right of access (to the information which is being processed and relates to them, this should be the information contained in a privacy notice)

  • The right to rectification (where an individual’s personal data is in some way misleading, incorrect or incomplete, and the right to be told of any third parties who have received this information)

  • The right to erasure/to be forgotten (to request deletion of personal data on certain bases where the data is no longer required by the data controller)

  • The right to restrict processing (in certain circumstances employees can prevent the processing of their personal data, so it can be stored but the employer is limited in its processing of it)

  • The right to data portability (so that an employee can easily read the data stored on them and request this is safely transferred to another data controller)

  • The right to object (to processing of their data for completion of a task in the public interest, for scientific or historical research purposes or direct marketing, and the right to complain to the ICO)

  • Rights relating to automated decision making (so that employees have the benefit of safeguards against decisions being taken on their data without any human involvement)
  • What do you need to do if you receive a data subject rights request from an employee?

    Employers have an obligation as data controller to respond to the employee as data subject. Actions taken in respect of the employee’s personal data must be reported to the employee without undue delay and always within one month of receiving the request, but if the employer notifies the employee within that month that it will need to extend the period for providing a full response, it can do this by a further two months if a complex or series of requests have been made and it gives reasons to the employee for the delay in responding. If the employee submits their request electronically, the employer must respond electronically unless the employee requests otherwise, but if orally the identity of the data subject would need to be proven by the employer recording how and when information was provided, and must always communicate in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’.

    An employer should respond to employees free of charge, apart from if it can demonstrate that requests are manifestly unfounded or excessive, in particular because of their repetitive nature, when the employer can charge a reasonable fee for administrative costs of providing the information or communication or taking the action requested. The employer can also refuse to act on the request.

    If an employer decides not to take action in response to an employee’s request, the employer must, without delay and always within one month of receipt of the employee’s request, give its reasons for not taking action and tell the employee of their right to lodge a complaint with the ICO and seek a judicial remedy.

    An employer may decide not to deal with an employee’s request if a relevant exemption applies or if a request is ‘manifestly unfounded or excessive’. The term ‘manifestly unfounded or excessive’ is not defined in the GDPR but reference is made to a ‘request repetitive in character’. Unless there are extreme circumstances in play, it is advisable to respond, but efforts must only be reasonable and proportionate. If you are thinking of not responding or challenging a data subject rights request made by an employee, you may want to consider seeking legal advice first.

    What do you need to know about intellectual property (IP) and information technology (IT) and the GDPR?

    It may not seem obvious, but data protection and the GDPR can impact Intellectual Property, as many IP licences include reporting obligations. If information passed from the licensee to the licensor includes personal data like names, addresses and IP addresses of alleged infringers, complainants or customers, the licensee and the licensor are likely to be joint controllers subject to GDPR obligations Licensees may also be processors, so a judgement should be made as to the status of the parties as soon as possible for current arrangements and from the outset when considering new arrangements.

    The Internet Corporation for Assigned Names and Numbers (ICANN) has approved a temporary specification for generic top-level domain (top level domains used for general purposes and coordinated more by ICANN as opposed to country code top level domains which are usually managed more locally) registration data which includes a useful guide for domain name registry operators and registrars, on compliance with the GDPR and handling registration data consistently.

    In terms of IT, under the GDPR data controllers must be able to demonstrate that privacy by design and privacy by default have been embedded into their IT systems and data processing activities. It is an area where businesses are likely to appoint third party processors and so the information relating to third party processors contained in What are the main issues you need to consider relating to business-to-business (B2B) contracts and the GDPR? above will apply and make this more difficult than under previous data protection legislation. If you are a company in the area of IT acting as a sub-processor you will note that your customers will perform more rigorous due diligence on you, as breaches that occur anywhere in the supply chain could lead to fines of up to £17.5 million or 4% of the total annual turnover over the preceding financial year.

    About our expert

    Becky White

    Becky White

    Senior Data Protection & Privacy Solicitor
    Becky is an experienced data protection and privacy lawyer who qualified in 2002. She supports clients with navigating data protection compliance and provides practical commercial advice related to privacy laws.  

    What next for GDPR legal advice?

    Still unclear about how GDPR applies to your business, and worried about compliance? Our GDPR data protection solicitors can help. Call us on 0800 689 1700 for an initial consultation on your needs, email us at, or fill out our contact form and we’ll get back to you.

    Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

    Our offices

    A national law firm

    A national law firm

    Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

    We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

    Head Office

    Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
    Regional Spaces

    Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
    13th Floor, Piccadilly Plaza, Manchester, M1 4BT
    10 Fitzroy Square, London, W1T 5HP
    Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
    1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
    White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
    A national law firm

    Like what you’re reading?

    Get new articles delivered to your inbox

    Join 8,153 entrepreneurs reading our latest news, guides and insights.


    To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

    Make an enquiry