Tax & admin · 5 March 2018

GDPR factsheet: It isnt just about customers, it matters for employee data too

Employee data
Small business owners must make sure employee data is just as protected as that of customers
This May will see a change in the rules governing management the personal data of EU citizens. Is your business ready for the changes to the way employee data is handled?

What is GDPR?

The General Data Protection Regulation (GDPR) is an EU regulation that will come into force on 25 May 2018. It centres around personal data protection for EU citizens, and aims to unify data privacy laws across Europe.

Many businesses and organisations that hold data will be affected. Non-compliance with GDPR can mean significant fines for those in breach, so for those that have not already done so, it is time to start preparing.

How do I know if Im affected?

According to, the new regulation applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.

Any companies which process and hold personal data of EU subjects, no matter where the business is based, fall under the remit of GDPR. So yes, you are most likely affected.

What measures must you take to comply?

The main points of GDPR for businesses to comply with include:

  • Request for consent and purpose of data collected must be intelligible for sensitive personal data, users will have to opt in? rather than opt out?
  • Individuals must have the right to access their data
  • Individuals must have the right to withdraw consent and prevent further dissemination of data
  • Those concerned must be notified if there is a security breach
For more information on key changes, check here.

Why does it affect employee data too?

Many employees will also be EU citizens. It doesnt matter in what capacity you come by the data, if you are holding it and processing it, it’s affected by GDPR.

What about if we leave the EU?

If you are processing data related to EU citizens, your business or organisation will still be under the remit of GDPR. While it remains to be seen if UK citizens will be included in this remit, the wise thing to do now is prepare to process all data using these new regulations.

SMEs respond

This issue will affect businesses and organisations of all sizes. We caught up with Andy Carr, owner of Spoon Customs, a handmade custom bike company, to find out how he is preparing. The business operates in the UK, and has a development office in France.

Why is data protection important for a business? reputation?

were tiny, and don’t handle much data yet, but our customers expect the same level and standards as they would from anyone else. We use a lot of outsourcing or web based services such as mail chimp, squarespace, which means a lot of our sensitive information is held or managed securely by these companies.

we review our internal processes as needed. I guess anxiety drives that, rather than immediate business needs just now, but as we get bigger, well need to think about how we scale all aspects of the business in a way that’s safe and manages risk for us and our customers.

How do you keep on top of data protection for employees?



Letitia Booty is a special projects journalist for Business Advice. She has a BA in English Literature from the University of East Anglia, and since graduating she has written for a variety of trade titles. Most recently, she was a reporter at SME magazine.