A Year On From GDPR… What Have We Learnt?

Though the concept still remains very similar to the old Data Protection Act, GDPR guidelines have broken down individual rights succinctly. In this article, we will be explaining these key rights with practical examples.

Under GDPR, employees can exercise the following rights:


  • The right to be informed
  • The right of access – to personal data
  • The right to rectification– if personal data is incorrect then this should be rectified (inaccurate or incomplete)
  • The right to erasure (“the right to be forgotten”) – to delete or remove personal out of date information i.e. out of date disciplinary warnings. It is good practice to ‘cleanse’ Personnel files, thus keeping files ‘up to date’.
  • The right to restrict processing – to restrict/block your data (i.e. witness statements name redacted). This may be because of the content of information you hold or how you have processed their data (indefinitely).
  • The right to data portability– to allow individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way.
  • The right to object – i.e. to object to the processing of personal data if it is for direct marketing purposes.

Rights in relation to automated decision making, including profiling – a computer making the decision (without any human involvement)

In a HR context, any of these rights can be applied in numerous ways. For example, the right of access allows employees access to their personnel files. Another example would be the right to data portability; this is popular in circumstances where the employer uses an external payroll provider/IT system to safely transfer their staff data. Employees would be made aware of this through company policies and procedures (the right to be informed).

GDPR rules can be quite complicated, which is why it is important organisation do have a Data Controller (a person who processes data) and a Processor (someone responsible for processing personal data on behalf of the data controller) to uphold GDPR guidelines.


Failure to follow GDPR rules can be very costly. In the month of April 2019 alone, UK businesses were fined thousands: London Borough of Newham were fined £145,000 for disclosing personal information and Bounty (UK) were fined £400,000 for sharing personal data unlawfully.  Fines such as these are based on GDPR guidelines of either a maximum of 20 million euros or 4% of annual turnover.  So, to avoid huge, costly fines, it is crucial organisations and businesses demonstrate that they are complying to GDPR guidelines.

For further guidance and support on GDPR, members of Your Business Community can call our Helpline.