Close menu

Employers by their very nature control and process significant amounts of data relating to their employees such as; health and sickness, performance management, grievances, and payroll data and a GDPR breach could spell disaster. It is imperative therefore that robust policies and procedures are put in place to reduce the risk of potential data breaches and limit any reputational damage.

The importance of such was highlighted in a breach at the outsourcing and construction firm, Interserve, where the Information Commissioner`s office (ICO) found that the firm failed to put appropriate security measures in place to prevent a cyber-attack, which resulted in hackers gaining access to the personal data of up to 113,000 employees. The penalty was momentous, with Interserve being hit with a £4.4m fine recently.

What happened?

It appears that an employee of Interserve had forwarded a phishing email to a colleague who proceeded to open and download its content. This resulted in malware being installed onto the employee’s workstation, through which a hacker was able to gain access to the company’s systems and accounts and encrypt the data of former and current employees. Although the company’s anti-virus software alerted the company about the malware, Interserve, it is alleged, failed to thoroughly investigate it. The ICO further noted that the company`s systems and protocols were outdated and there had been a lack of staff training and risk assessments had been insufficient.

What can employers do to minimise a GDPR breach?

The UK GDPR and DPA 2018 together create a regime which governs the processing by controllers of personal data relating to data subjects. In the employment context the employees are likely to be data subjects while employers are likely to be controllers. The processing of data includes recording or holding data; disclosing the data; using the data for any reason before, during or after a person is employed by you; and/or deleting or destroying the data.

A failure to comply with UK GDPR may leave employers open to a substantial fine which can include:

  • a maximum fine of £17.5 million or 4 per cent of annual global turnover - whichever is greater - for infringement of any of the data protection principles or rights of individuals
  • a maximum fine of £8.7 million or 2 per cent of annual global turnover - whichever is higher - for infringement of other provisions, such as administrative requirements of the legislation

The data protection principle of accountability set out in Article 5(2) of the UK GDPR requires controllers to demonstrate that they comply with the data protection principles. It will not be enough for the employer to say that it is compliant, the employer must be able to prove it if asked.

Employers should therefore implement appropriate and organisational measures that show compliance which may include:

  • undertaking internal audits of processing activities. The audits should identify the personal data it controls, what is done with it, how it is collected and, what happens after it is collected and where it goes;
  • implementing clear, robust and transparent data protection policies;
  • providing staff with appropriate training;
  • introducing a form or online checkbox for employees to say they understand and have complied with the data protection policies;
  • Reviewing the security of your data, such as changing passwords regularly and encrypting data where possible;
  • ensuring that all internal HR processes are kept up to date;
  • keeping records on processing activities (note that this is a requirement for employers who have at least 250 employees;
  • appointing a data protection officer or someone with specific responsibility for continued oversight of data protection obligations;
  • Notifying the ICO and data subjects of personal data breaches;
  • Maintaining compliance to ensure that the systems and protocols in place do not become stale and outdated.

Get in touch

If you require legal advice relating to GDPR or have an employment related matter you would like to discuss, please get in touch with our team by completing the form below.

Key Contact

Helen Watson

Helen Watson

Partner | Head of Employment Law


Helen has been Head of the Employment Team at Aaron and Partners LLP for over 16 years and is an experienced Tribunal Advocate, Accredited Mediator and Workplace Investigator. Helen is also a Chartered Director and Executive Boardroom Coach.

Latest News

What is Flexible Working?

07 February 2023

Read more

Harpur Trust v Brazel: The Return!

07 February 2023

Read more