Skip to content

A GDPR refresher for employers and their HR teams

Kate Benefer, Partner, RWK Goodman

Although the General Data Protection Regulation (GDPR) isn’t new, it is as relevant today as it was then. However, we know from our conversations with employers and their HR teams that many of them are feeling rusty and would welcome a reminder of the key do's and don'ts. Kate Benefer, a partner in the Employment team at RWK Goodman in Oxford, and regular speaker at our HR Hubs, answers some of the most frequently asked questions on dealing with GDPR in practice.

GDPR was introduced into the UK on 25 May 2018 via the Data Protection Act 2018.

Everyone who deals with personal data needs to know about GDPR and what they can and cannot do. It is not just an HR responsibility or something which the data protection officer or lead needs to understand. Any employee who deals with data on a day-to-day basis needs to understand the rules as they are the ones who will determine whether your organisation complies or commits a data breach.

You may like to use the following frequently asked questions as a checklist to identify any gaps or reassure yourself that you've got it all covered.

Q: What documentation should we have in place?

A: The specific documentation will depend on the nature of the business and the type of data being processed but is likely to include:

  • Privacy policies for staff, candidates and third parties – setting out what data you process, the lawful bases for doing so, retention periods, security, whether data is transferred to third parties and the rights of the data subject
  • Data processing agreements with your third party processors, for example pension or payroll providers. These set out the type of data you will be providing, what the processor is and isn’t permitted to do with it and information about returning the data
  • A breach reporting policy and log
  • A subject access request policy
  • A retention policy setting out how long different types of data will be kept. This may be detailed in the privacy policy itself or a separate document can be used
  • A data protection policy setting out what you expect from staff in terms of their obligations to comply with your procedures.

Q: We have received a subject access request for a long serving employee. Given there will be a substantial amount of paperwork to review, can we extend the time limit for responding?

A: The normal time limit is one month but this can be extended to three months. If you need longer than a month, this should be communicated to the data subject as soon as possible with reasons. You should not wait until the month has expired before saying you need longer. Ideally, data should be provided as soon as possible so even if you need longer to provide everything, this doesn’t mean you should hold data back which you could provide now.

Q: When responding to a subject access request do we have to provide documents?

A: No. The right is to data not documents so you could, if easier, extract the data and disclose that to an individual in a letter or report. They do not have a right to the actual documents themselves. Where a document contains a lot of information which would not be personal data or would be exempt and need redacting, it may be easier to just copy the personal data. However, where a document relates solely to the individual (for example, their occupational health report), it is likely to be easier to just disclose the report.

Q: When do we need to report a data breach?

A: If the breach is likely to create a risk to the rights and freedoms of the data subject the breach needs to be reported to the ICO within 72 hours.

If the breach is likely to create a high risk, the individual data subjects should also be told.

When dealing with breaches relating to employee data, it is worth considering whether it would be a good idea to inform them of the breach, even if the threshold is not necessarily reached. If they were to find out from someone else, they could feel aggrieved that they were not told which could damage the ongoing relationship or lead to a dispute.

Q: Can I keep CVs of good candidates in case we have future job vacancies?

A: Potentially. Your privacy policy should make it clear how long you will keep the documents and for what purpose. You may be able to argue that contacting someone about a very similar role is justified on the basis of legitimate interests. However, there is a risk that a candidate would say they only wanted their data processed for the job they actually applied for. Also, if CVs are kept for a while there is a risk that the information will be out of date and breaches the accuracy principle.

A better approach is likely to be to seek specific consent for the CV to be retained for a set period of time and then for further consent to be obtained at the end of that period together with confirmation that the data is accurate.

Q: How long should I keep employment documents after an employee has left?

A: For many documents the period will be six years because this is the limitation period for a breach of contract claim. This means that if an employee pursues a claim against you, you have kept the evidence you may need to defend the business.

However, not all documents will be relevant to a potential breach of contract claim and many, such as bank details or right to work documents, should be destroyed earlier than six years.

Conversely, there may be reasons why some documents need to be kept for a longer period. For example, there are specific requirement in relation to payroll data and tax and sometimes insurers have requirements about data retention.

Q: Can we rely on a consent clause in an employment contract to require employees to agree to a medical report?

A: Unfortunately no. Consent needs to be express, informed and specific which means a general consent clause will not be sufficient. Instead, consent will need to be requested at the time of seeking a medical report and the individual will need to be provided with information about the reason for the request as well as what the report will be used for. The data should not then be used for a different purpose, so for example, an employee should not be asked to consent to a medical report so as to consider “appropriate support and adjustments” and then have the report used as the basis of a dismissal for capability. If the report is to be used for this, the employee needs to be told this before they consent.

If you would like to discuss these Q&A in greater detail or have any questions of your own that you would like answered, please contact Kate Benefer at RWK Goodman on 01865 792300 or email

For a more in-depth GDPR refresher, don’t miss RWK Goodman's Employment Law Update.

About the author

Kate Benefer, employment law partner, RWK Goodman

Kate advises on all aspects of employment law including disciplinary, grievances and sickness management, redundancy and restructures, discrimination, tribunal claims and immigration issues. She has particular experience in dealing with collective issues including large scale restructures and changes to terms and conditions, collective agreements and industrial relations. Kate has been described as “very switched on” (client feedback) and as a “confident and poised speaker” whose delivery is “on the money” (delegate feedback).

We use cookies to give you the best experience of using this website. By continuing to use this site, you accept our use of cookies. Please read our Cookie Policy for more information.