• It is expected that the UK will adopt a national data protection regime that is largely in line with the EU regime on leaving the EU. The European Commission has claimed that these changes will save businesses EUR2.3 billion a year although some commentators have raised questions about whether this will in fact turn out to be the case.

    The changes are significant and organisations need to be planning for the changes now.

    Key Changes

    • Data must be processed fairly, lawfully and with transparency meaning individuals must be given more published explanations about how their data will be used.
    • One of the means in which data can be lawfully processed is on the basis of individual consent. The consent requirements are considerably strengthened under the GDPR. Such consent has to be freely given and it must be easy to withdraw consent.
    • A clearer statement needs to be given to job applicants and employees concerning how their data will be processed. This statement must be easy to understand and clearly set out the lawful basis on which their data will be processed. Further explanations must also be given for example about how to withdraw consent, for how long data will be stored, rights to complain etc.
    • Enhanced rights include a package of around the “right to be forgotten”, the correction of data and limiting how data is processed – referred to as the right to “delete it, freeze it, correct it”.
    • Data Protection Officer – every business (irrespective of size) has to have a DPO if large amounts of personal data are handled and has to be able to demonstrate compliance. DPOs will provide advice, be the point of contact for the Information Commissioner and monitor compliance.
    • Data processors have specific duties and can be fined for breaches.
    • The period for compliance with data subject access requests is “without undue delay” and in any event within 1 month (possible extension to 3 months).
    • Removal of the £10 fee although if the request is excessive an employer can charge a reasonable fee or refuse to comply.
    • Records have to be kept of processing activities.


    The maximum penalty for non-compliance is the higher of Eur20m or 4% of worldwide turnover. Lesser breaches of the GDPR can incur fines up to Eur10m or 2% worldwide turnover.

    Steps to Consider Now

    • Identify all existing data systems and the personal data processed.
    • Consider appointing a DPO.
    • Review privacy notices and other fair processing information and ensure it is compliant with the new requirements.
    • Review contracts of employment, handbooks and policies to see whether and how they deal with data protection (and in particular, how consent is sought).
    • Establish a policy (with a timeline) for handling data breaches.
    • Plan for staff training on data protection responsibilities.
    • Develop and implement a policy on retention and storage of data, including emails, personal file information (including warnings) etc.

    Further guidance is available from the ICO including their 12 steps in preparing for the GDPR booklet.

    How can we help

    Brachers and our HR consultancy service, Kent HR can support you in ensuring compliance with the new GDPR including contract, handbook and policy reviews, the provision of standard documentation and risk audits.

    For further information please contact Catherine Daw on 01622 655291 or Veronica Fox on 01622 655294.

    Downloadable Files

    Download the file on GDPR

    This content is correct at time of publication

    Can we help?

    Take a look at our Data Protection and GDPR page for useful information, resources, guidance, details of our team and how we may be able to help you

  • Key contact:

    Get in touch

    Please fill out the below form or alternatively you can call us on 01622 690691

      By submitting an enquiry through 'get in touch' your data will only be used to contact you regarding your enquiry. If you subscribe to any of our newsletters, you can unsubscribe any time using the link in the email. Please view our privacy statement for more information