The General Data Protection Regulation and employee data: Good news for SMEs

13 July 2017 | Guy Abbiss

Here are five pieces of good news for small and medium enterprises (“SMEs”) about handling employee data under the GDPR – including why it represents an opportunity for SMEs to strengthen employee engagement.

  1. Many core data protection principles remain the same

The new law is not a complete rewrite of the old regime – many of the rules on processing, transfer of data and access to personal data will be very familiar.

  1. SMEs receive special treatment:
  • SMEs (here, organisations with under 250 employees) are excluded from some of the more cumbersome new requirements to keep records of processing activities (Article 30 of the GDPR);
  • There may be further exemptions for SMEs when implemented by the UK nationally (and across the EU).  However, exemptions are likely to be fairly limited as the GDPR is aiming for a more consistent data protection regime overall;
  • Unless your organisation carries out large scale monitoring or processes specific sensitive personal data (or you are a public body) then it is unlikely you will be required to appoint a data protection officer, although some organisations may choose to do so.
  1. Rules on employee consent to process personal data are being clarified

There was always concern that employees do not give genuine consent for employers to process their data when it forms part of employment documentation.  Under the GDPR consent must to be as easy to withdraw as to give – opening the door for disgruntled employees to withdraw consent at any time leaving the employer without a lawful basis to process HR data.

Many employers will use this as an opportunity to identify alternative grounds for lawful processing of employee data which do not have these pitfalls.

  1. Data subject access requests: you already have a headstart

Most employers have had to manage data subject access requests for years – the rules are being tightened and time frames shortened.  SMEs should use this as an opportunity to update old policies and procedures and make clear that you take your obligations seriously.

  1. A valuable employee engagement exercise

“Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong”, according to the ICO Deputy Commissioner for policy.

Practical steps to implement the GDPR will vary between organisations, depending on their size, what data they process how and why. But understanding how employees want their data to be handled and communicating implementation effectively could send a powerful message to employees: that they are valued, enhancing trust as well as the quality of information. Similarly, many businesses regard the GDPR as an opportunity to improve value to customers and to innovate by making the best use of the data you handle.

Overall, it is our view that unless an SME conducts high risk processing, or fails to take reasonable steps to implement the rules, then the focus will not be on such organisations – for now.


What should you do now?

SMEs should plan now for the GDPR, to make the most of the opportunities it represents as well as to ensure compliance. We offer a simple, checklist based approach to analyse what data you process, how and why, to provide you with a user-friendly structure for ensuring compliance.

If you have questions or concerns about practical implementation, please get in touch.



The ICO has also produced a helpful toolkit for SMEs on the implementation of the GDPR:


Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.

Related content

13 June 2024
How to apply for certificate of residence in the UK
Where an individual is resident in the UK and has…
29 May 2024
UK Share Plan Reporting 2024: Everything you need to know
The deadline is approaching for the HMRC’s annual return filings…
20 May 2024
Employee Share Plan Reporting 2024: Alerting Your Clients
The UK tax authorities’ (HMRC) submission deadline for annual return…
Subscribe to our newsletter
Stay up to the minute on our latest news and insights?
International reach

We have helped clients meet their HR needs in over 70 countries across five continents.