EMLaw - GDPR – A brief guide

GDPR Guide EM Law

GDPR Guide Introduction

I am EM Law's lead adviser on data protection compliance.

We all know that the GDPR has been coming for some time, but few businesses are properly prepared for it. Most businesses know that they should be doing something but, because the GDPR is complicated, they have not got around to understanding what it is they need to be doing. Some managers I have spoken to think that the effect of the GDPR is being overstated by lawyers and other professionals trying to cash in on the unwarranted panic they are causing. I have some sympathy for this attitude – especially having seen some of the very heavy guides out there!

Unfortunately, though, while there is no need for the vast majority of businesses to panic, all businesses, large or small, have work to do to make sure that from 25 May they will be complying with the new law.

This GDPR guide is aimed at you, the director of a small/medium-sized business, who does not know much about data protection. You know that data protection laws exist. You know that your business has a responsibility to keep data secure and that if data gets lost your business can get sued. Your business probably has a privacy policy published somewhere – perhaps on your website - that you do not pay much attention to. Your contracts contain data protection clauses somewhere towards the back of them – you’ve relied on your lawyer making sure that these are correct.

This GDPR guide will hopefully give you a good overview of what the GDPR is about and what you need to do to make sure that your business will be compliant come 25 May. You will certainly not know all there is to know by the end of reading this GDPR guide but it will give you a platform to enable you to find out more or to seek help in an informed way.

This GDPR guide is applicable to the majority of UK based businesses. It does not apply to:

  • Public authorities.
  • Organisations that are established outside the UK.
  • Organisations that sell products or services to children.
  • Organisations that handle information relating to criminal convictions and offences.

GDPR Guide Quick Q&A

Q: Does the GDPR apply to your business?
A: As your business is established in the UK then, yes, it does and it will apply to data that your business collects both inside and outside the EU.

Q: What is it the GDPR about?
A: It is a set of rules that govern how your business may process “personal data” and the systems that your business must put in place in connection with that processing.

Q: What is personal data?
A: Information that relates to an identified or identifiable living individual e.g. personal details, medical details, financial details, employment details, lifestyle details, IP address.

Q: The GDPR applies to “the processing of personal data”. What does “processing” mean?
A: “Processing” is described so widely (e.g. it includes “collection”, “storage” and “use”) that we do not see how you could not be “processing” personal data. So, any activity involving personal data falls within the scope of the GDPR.

Q: Who is a “data controller”?
A: A data controller is the person responsible for deciding how and for what reason personal data is processed. Your business, as an employer, will be the data controller in relation to personal data processed about your employees. Your business, as a supplier, will be the data controller in relation to personal data processed about its customers.

Q: Who is a “data processor”?
A: A data processor is the person who processes data on behalf of a data controller. Your business, as a supplier, will be a data processor in relation to personal data that your business customer (the data controller) has given you about its employees or clients.

GDPR Guide: Data Protection Principles

Data controllers and data processors must comply with all of the following principles when dealing with personal data:

Lawfulness, Fairness and Transparency

Your business must give individuals whose personal data it collects certain information about who your business is and what it does with their data.

Your business can only process personal data on the basis of one or more of the following grounds:

The individual has given their consent

If your business is relying on obtaining an individual’s consent to process their personal data then that individual must have understood clearly what they were consenting to and they must have given their consent by some positive action and without being under any pressure to do so. An individual signing a stand-alone document that clearly sets out how your business will process their data is a good way of obtaining consent. Burying a consent clause in the back pages of a contract will not be acceptable. Individuals must also be informed of their right to withdraw their consent at any time.

It is necessary for entering into or performing a contract with the individual

For example, your business will need to store an employee’s financial details so that your business can pay them.

It is necessary for compliance with a legal obligation

For example, your business will need to disclose employee salary details to HMRC.

It is necessary to protect the vital interests of the individual

This ground usually only applies in life or death situations. If, for example, an employee is seriously injured at work your business may need to disclose that employee’s medical history to the medics.

It is necessary for the performance of a task carried out in the public interest

This is relevant to public authorities or private businesses acting under the control of public authorities.

It is necessary for the purposes of legitimate interests pursued by you or by a third party

(as long as your interests are not overridden by the fundamental rights of the individual). For example, for direct marketing purposes or preventing fraud, for internal administrative purposes between group companies, for reporting possible criminal acts.

NB if your business processes “special categories” of personal data i.e. data that reveals: racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, sex life and sexual orientation then the grounds upon which your business is allowed to process that data are more restrictive than the ones set out above.

Purpose limitation

Your business can only collect personal data for specified, explicit and legitimate purposes that it makes known.

Data minimisation

Collection of personal data must be limited to what is necessary for the purposes your business collects it.


The personal data your business collects must be accurate.

Storage Limitation

Your business must not store personal data for longer than necessary.

Integrity and Confidentiality

Personal data must be held securely.


Your business must be able to demonstrate compliance with its data protection obligations.

GDPR Guide: Right of Individuals

Individuals may:

  • Withdraw their consent at any time (in which case your business would need to rely on another lawful ground to enable it to process their personal data).
  • Require data controllers to tell them what information they are holding about them, what for, how long for etc.
  • Require data controllers to correct inaccuracies in their data.
  • Require data controllers to erase information held about them.
  • Require data controllers to provide them with a copy of all personal data held on them.
  • Object to the processing of their data.

GDPR Guide: Obligations of Data Controllers and Data Processors

If a data controller appoints a data processor then certain clauses must be contained in the written contract between them.

Your business must appoint a data protection officer if either (a) its core activities require regular and systematic monitoring of individuals or (b) its core activities consist of processing “special categories” of data (see above definition) on a large scale. The majority of businesses will not need to appoint a data protection officer.

Data controllers must maintain records of the processing activities under their control which include at least the following:

  • The name and contact details of the controller.
  • The name and contact details of the data processing officer (if there is one).
  • The purposes of the processing.
  • A description of categories of data subjects and of the categories of personal data relating to them.
  • The recipients of the personal data.
  • Where applicable, transfers of data to a third country or an international organisation.
  • Where possible, a general indication of the time limits for erasure of the different categories of data.
  • The description of the technical and organisational security mechanisms the data controller employs.

Data processors must maintain records of all categories of processing activities carried out on behalf of a controller. This includes the following information:

  • The name and contact details of the processor and of each controller.
  • The name and contact details of the processor’s data protection officer (if there is one).
  • The categories of processing carried out on behalf of each controller.

Data Controllers must conduct an impact assessment if they are involved in “profiling” or processing “special categories” of data (see above definition) on a large scale or if they are systematically monitoring publicly accessible data on a large scale. The majority of businesses will not be involved in these activities.

Your business must implement appropriate measures to keep personal data secure e.g. data encryption, disaster recovery, security testing, staff training.

The Data Controller must flag up any data security breaches.

GDPR Guide: Cross-border Data Transfers

Your business must not transfer personal data outside of the European Economic Area (EEA) unless:

  • It is to a country that the EU Commission has said it is ok to transfer the data to.
  • Your business puts in place appropriate safeguards (for example the contract with the person who your business transfers the data to contains certain clauses that the EU Commission has approved); or
  • An exemption applies (for example the individuals whose data is being transferred have given their consent having been informed of the possible risks of such transfer).

Please bear in mind that your business will be transferring personal data outside of the EEA if, for example, its IT system is cloud-based and the data centre where that data is stored is outside the EEA.

Please also bear in mind that the US is not on the Commission’s approved list of countries where personal data can be sent to. Instead, the EU Commission and the US Government have agreed an arrangement called the EU- US Privacy Shield. Basically, it is ok for your business to transfer personal data to a US company whose name is on the EU-US Privacy Shield list (this list is managed by the US Department of Commerce). At least for now. This arrangement is subject to review.

GDPR Guide: Sanctions for breach of the GDPR

Organisations that breach the GDPR may be hit with administrative fines of up to EUR20 million or up to 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher. If an individual, for example, an employee in your business, suffers damage because your business has breached its obligations under the GDPR, that individual can claim compensation, not just for any financial loss they have incurred but for any distress they have suffered as well. We believe that there will be a significant increase in claims being brought by individuals against businesses following the GDPR coming into force.

GDPR Guide: What should I do now to prepare my business for the GDPR?

First of all don't panic! Yes, there is work to do but EM Law can do the heavy lifting for you. Here is what needs to be done:

  • Designate someone in the business to be the lead on GDPR matters.
  • Consider whether your business needs to appoint a Data Protection Officer.
  • Audit and map all data processing activities.
  • Assess all data processing activities to see how they align with GDPR principles and requirements and perform a gap assessment. Create an action plan and then implement procedures to implement changes to align activities with GDPR. Review and document the legal basis for GDPR-covered processing activities.
  • Update privacy policies / notices.
  • Update consent mechanisms i.e. check to what extent your business relies on consent from individuals to process their data and then consider whether your business can rely on another lawful ground to process data or what changes need to take place around obtaining consent in compliance with GDPR requirements.
  • Review supplier and customer contracts to ensure that they address GDPR requirements.
  • Prepare for new documentation (record keeping) requirements. It is important to understand that GDPR requires your business to demonstrate how it complies with GDPR.
  • Review personal data protection and security measures – is the personal data that your business processes stored securely enough?
  • Review any cross-border transfers of personal data that your business makes.

This GDPR Guide is very much an overview. If you need any help interpreting the GDPR or implementing its requirements just let us know. We can help you with advice, training, documentation to help you with your data processing assessments, standard form documentation such as privacy policies and GDPR tailored clauses to include in your contracts.

EM Law Settlement Agreements Photo by Ant Rozetsky

Settlement agreements – A Quick Guide

EM Law helps employers and employees with drafting, advising on and negotiating settlement agreements. Our employment law team is made up of expert solicitors with City and large regional law firm experience.

If you are an employee and your employer has offered you a settlement agreement the chances are you are in the process of being made redundant or your employment is terminating for some other reason. For some individuals, redundancy is a welcome thing - an opportunity to leave a job they wanted to leave anyway with a package they would not have received if they had resigned. For the majority of people, though, being made redundant is a very stressful situation. Quite often, employers will take a hard line – putting pressure on the employee to accept the offer that’s on the table.

This is where we come in.

We help employers follow the correct process and provide pragmatic, commercial advice to help employers achieve the best outcomes. We prevent employers frm being exposed to greater claims.

From the employee perspective, we help employees receive the best settlement package they can.

Negotiating settlement agreements

The common aim with settlement agreements is that, once signed, they end the employment relationship. The employee, in return for compensation in cash and other benefits, agrees that they will not bring any claims against the employer.

So it’s important to get settlement agreements right. Loose drafting opens the door for the employee to make claims that they shouldn’t have been able to make. Poor negotiation will leave an employer paying more than they should or an employee receiving less than they should.

Negotiation: common scenarios

Typically, the process of negotiation can take place in one of four scenarios.

Where employment has ended

The employee may be presented with a draft settlement agreement (marked “without prejudice and subject to contract”) and asked to revert to the employer within a fairly short timescale with a response to the settlement offer.

Where employment and active duties continue

The employee is approached by their manager or human resources department (either in a without prejudice discussion or a pre-termination negotiation). They are made an offer and potentially given a draft settlement agreement (marked “without prejudice and subject to contract”). They are told to take it away and consider its contents, usually within a fairly short timescale. The employee will remain in the workplace, actively carrying out their duties, but will be asked to keep the settlement discussions confidential, including the existence of the settlement agreement.

Where employment continues but the employee is not actively carrying out duties

A variant of the above is where the employee is still employed but not actively carrying out their duties They may be on long-term sick leave or family related leave. As above, the employee will be given a draft settlement agreement (marked “without prejudice and subject to contract”) and asked to respond within a certain timescale.

Where employment continues but employee is sent home

The employee may be given the draft settlement agreement, or an outline of settlement terms, and asked to remain at home while they consider the offer over a certain timescale. They may be placed on garden leave, or else just told it is better for them to remain at home while they consider the position. They will be asked not to have contact with colleagues or clients and their computer access may be disabled.

Possible steps in a settlement discussion (employee still employed)

Step 1: invitation to meeting

The employer invites the employee to a meeting at a mutually convenient time and place.

Step 2: at the meeting

At the meeting, the employer explains its concerns (for example, performance issues or the breakdown of the working relationship) in a neutral manner, and proposes an exit with an agreed settlement package. The employer should provide enough information for the employee to understand what has led to the offer and the potential consequences if they do not depart.

Where inadequate information is provided, this could support an argument that there is a discriminatory basis for the offer.

Step 3: written offer

If the employee agrees to explore the suggestion of settlement, the employer produces a written offer.

The employee must have a “reasonable period” in which to consider the formal written terms.

Step 4: settlement agreement

If the employee is interested in proceeding with the settlement, the employer can provide the employee with a settlement agreement documenting the terms, if they have not already done so. The employee will need to take independent legal advice on the implication of entering into the agreement.

If the employee is not interested in exploring settlement, the employer should cease settlement negotiations and seek to tackle the underlying problem.

Acas guidance on conducting settlement discussions

Acas has produced the following guidance and resources:

  • A Code of Practice on Settlement Agreements which focuses on the admissibility provisions regarding pre-termination negotiations.
  • A guide to settlement discussions to help employers and employees understand when settlement agreements can be negotiated.
  • Two template letters (putting forward settlement offers) and a model settlement agreement; these are contained in the guide.

Allowing time to consider offers

The Acas Code on Settlement Agreements states that parties should be given a reasonable period of time to consider the proposed settlement agreement and that, as a general rule, ten calendar days should be allowed to consider the proposed formal written terms of a settlement agreement and to receive independent advice, unless the parties agree otherwise.

Allowing employees to be accompanied

Although the Acas Code on Settlement Agreements acknowledges that there is no legal right for employees to be accompanied during pre-termination negotiations, it suggests that employers should allow this.

“Subject to contract”

Correspondence about the settlement agreement (and drafts of the agreement itself) will usually be marked “subject to contract”. The intention is to make it clear that nothing said or written in negotiations should give rise to a legally binding contract until all the terms have been agreed and the contract signed by both parties.

Typical contents of settlement agreements

The contents of a settlement agreement are largely at the discretion of the parties, except for those clauses which relate to the statutory requirements.

In a typical case, termination of employment will have occurred or be imminent. The agreement will usually provide for the employee to receive a termination payment in return for waiving certain claims.

Examples of typical clauses are:

  • Arrangements on termination (dealing with issues such as untaken holiday and salary payments)
  • Termination Payment (what cash compensation will the employee receive?)
  • Benefits (what other benefits will the employee receive?)
  • Pension (dealing with treatment of the employee’s pension)
  • Legal fees (usually all of the employee’s legal expenses are covered)
  • Waiver of claims (where the employee agrees not to sue the employer)
  • Return of company property (where the employee agrees to return all company property)
  • References (where the employer agrees to provide a reference that is in a form agreed with the employee)
  • Restrictive covenants (usually these repeat any restrictive covenants in the employee’s employment contract)
  • Confidentiality (the parties agree that the terms of the agreement are confidential)
  • Other standard clauses to be found in most contracts such as English law applying, the English courts having jurisdiction to hear any claims etc

Issues relevant to drafting settlement agreements

Prior to drafting a settlement agreement, a number of issues will need to be considered, including:

  • The proposed timing of the termination, including the implications if there is going to be a significant delay between signing the agreement and the proposed termination date.
  • The reason for termination, including how this will be reflected in the agreement (if at all) and how any associated announcements will be handled.
  • The value of the settlement package on offer (having regard to the employee’s salary and contractual entitlements, together with the value of any potential claims).
  • Where there is a discretion to be exercised by the employer (for example in relation to bonus or share options), how this discretion will be exercised.

Termination payment

The amount of the termination payment is likely to be an important focus of the settlement discussions. The employee will usually seek to improve this, or to enhance the overall value of the package in other ways. This may be done by:

  • Negotiating a higher lump sum, having regard to the merits of any claims.
  • Seeking a more tax efficient way for the sum to be paid, for example having part of the termination payment paid into a pension scheme.
  • Negotiating the payment of discretionary sums under discussion, for example in relation to bonus, commission or share options.

Tax status of payment

Where a payment is made to an employee on the termination of employment, it is either taxable in the normal way as earnings under the Income Tax (Earnings and Pensions) Act 2003 or taxed as a termination payment under sections 401 to 416. The first £30,000 of payments that fall within section 401 is exempt from tax and any excess will be subject to income tax in the normal way, with the employer being responsible for accounting to HMRC.

Legal fees

It is usual for the employer to make a contribution to the employee’s legal fees, since one of the statutory conditions for a settlement agreement is that the employee has received legal advice.

If you have any questions concerning a settlement agreement please get in touch.