Data Protection (including SARs and GDPR)

Data protection is a significant responsibility for every business owner to manage and to keep up to date with. As an employer, it’s essential that you are aware of the latest legal developments around data protection and fully comprehend the principles of data protection, including the General Data Protection Regulations (GDPR) and subject access requests (SARs).

While businesses have a responsibility to securely store the data they hold about their clients and contacts, the impact data protection regulations have on HR activities is even more significant. These teams are responsible for keeping all employee records including training records, monitoring performance, disciplinary or grievance records and their references. This is on top of robustly storing the sensitive data they hold.

When holding data on employees, organisations should bear in mind consent, processing and security.



There are several reasons why an organisation may hold and process data, but the best and most commonly know is consent. Organisations should try to seek consent from employees if they’re holding sensitive data about them as individuals, giving explicit explanations on why the data is being collected and what it will be used for. This consent must be freely given and cannot be assumed as given as part of employment. For this reason, it is essential that businesses have a clear privacy notice which sets out what information you hold about employees, why you hold it and what you will be doing with that data.

Processing, Transferring or Sharing Data

Many organisations utilise third party services to complete tasks including payroll and employee recruitment. In using these organisations, it may become necessary to share your employees’ data which can risk a breach of security. You should ensure that you only share the data that is necessary to complete the task and should anonymise data, where possible. As above, employees should be aware that the third parties will be processing their data.

Data Security

The security you have in place should be reasonable for the size of organisation and should be appropriate to the risk of processing. In order to maintain a good level of security, it’s recommended that your organisation has a data protection policy in place. This should include risk assessments and restrictions on who can access which data. Dependent on the size and type of business, you may also require a data protection officer to ensure compliance with data protection laws.

Subject Access Requests (SARs)

Employees may choose to submit a written subject access request for any information their employer holds on them, and you must respond to this request within one month. Again, the procedure for responding to SARs should be outlined in the data protection policy which can be accessed in the staff handbook. These can be very difficult to navigate because individual’s personal information may be mixed in with other individual’s personal information, to which they have no right to access. Our team has extensive knowledge in dealing with subject access requests and can assist you to ensure you do not fall foul of your obligations.

Our Employment team has extensive experience in advising clients, ranging from small SMEs to multi-million pound, multi-national operations, on how to sensibly and securely store and process employees’ data. If you would like advice on how best to deal with data protection within your organisation, our solicitors can give you pragmatic advice on your best course of action.

Get in touch

Talk to us about your legal challenges and discover how our expert, pragmatic legal advice and broad commercial acumen can help.