Tax & admin · 5 March 2018

GDPR factsheet: It isn’t just about customers, it matters for employee data too

Employee data
Small business owners must make sure employee data is just as protected as that of customers

This May will see a change in the rules governing management the personal data of EU citizens. Is your business ready for the changes to the way employee data is handled?

What is GDPR?

The General Data Protection Regulation (GDPR) is an EU regulation that will come into force on 25 May 2018. It centres around personal data protection for EU citizens, and aims to unify data privacy laws across Europe.

Many businesses and organisations that hold data will be affected. Non-compliance with GDPR can mean significant fines for those in breach, so for those that have not already done so, it is time to start preparing.

How do I know if I’m affected?

According to, the new regulation “applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects”.

Any companies which process and hold personal data of EU subjects, no matter where the business is based, fall under the remit of GDPR. So yes, you are most likely affected.

What measures must you take to comply?

The main points of GDPR for businesses to comply with include:

  • Request for consent and purpose of data collected must be intelligible – for sensitive personal data, users will have to “opt in” rather than “opt out”
  • Individuals must have the right to access their data
  • Individuals must have the right to withdraw consent and prevent further dissemination of data
  • Those concerned must be notified if there is a security breach

For more information on key changes, check here.

Why does it affect employee data too?

Many employees will also be EU citizens. It doesn’t matter in what capacity you come by the data, if you are holding it and processing it, it’s affected by GDPR.

What about if we leave the EU?

If you are processing data related to EU citizens, your business or organisation will still be under the remit of GDPR. While it remains to be seen if UK citizens will be included in this remit, the wise thing to do now is prepare to process all data using these new regulations.

SMEs respond

This issue will affect businesses and organisations of all sizes. We caught up with Andy Carr, owner of Spoon Customs, a handmade custom bike company, to find out how he is preparing. The business operates in the UK, and has a development office in France.

Why is data protection important for a business’ reputation?

“We’re tiny, and don’t handle much data yet, but our customers expect the same level and standards as they would from anyone else. We use a lot of outsourcing or web based services such as mail chimp, squarespace, which means a lot of our sensitive information is held or managed securely by these companies.

“We review our internal processes as needed. I guess anxiety drives that, rather than immediate business needs just now, but as we get bigger, we’ll need to think about how we scale all aspects of the business in a way that’s safe and manages risk for us and our customers.”

How do you keep on top of data protection for employees?

“Some aspects of data protection are about common sense. This is one such area.

“We use consultants, to help us understand our exposure, and then we put simple systems in place to help us manage it. It’s not that onerous in this case, as I still run everything.”

How do you ensure that you are compliant with GDPR?

“We’ve been doing business in the EU since the start, so we’ve known this is coming and been able to think about it when setting up. That’s not to say it’s simple however.

“There’s an excellent guide at the ICO (Information Commissioner’s Office) which gives businesses a starting point. For us much of our customer interactions start on instagram (@spooncustoms), or Facebook, so we were unsure how it would affect us.”

Want more help with your company’s GDPR compliance? Learn more about how Sage could help with its suite of services.

Sign up to our newsletter to get the latest from Business Advice.



Letitia Booty is a special projects journalist for Business Advice. She has a BA in English Literature from the University of East Anglia, and since graduating she has written for a variety of trade titles. Most recently, she was a reporter at SME magazine.

Work and Wellbeing