We use cookies to improve our site and your experience.

By continuing to browse on this website you accept the use of cookies.

Privacy Notice

Happy 3rd GDPR Day!

Happy 3rd GDPR Day!

By Darren Isaacs and Deborah Margolis - 25 May 2021

Happy 3rd birthday to GDPR!

Can you believe it’s been 3 years since the time when Google searches for “GDPR” were outranking those for Beyoncé? Who can forget the days when we were receiving 10 privacy notices a day, including from a hotel you stayed in once five years prior, or from that coffee shop where you briefly used the wifi on holiday?! Such nostalgia!

Over the last 3 years data privacy has continued to be a growing area. The results of our 2021 Littler Annual Employer Survey showed that data privacy issues were the biggest concern for employers doing business outside the US. From our perspective we’ve seen the following tends:

  • A growing awareness from employees of their rights (including DSARs “if you know, you know”)
  • On an international level, a number of data transfer queries following Brexit questions about some of the “trickier” aspects of data privacy, like equalities monitoring following the Black Lives Matter movement.

Although the GDPR/Queen Bey hierarchy has now been rightfully restored, GDPR continues to be an important compliance issue (and we promised ourselves that wouldn’t mention the fines on a day like today…).

To celebrate the 3rd anniversary, we have 3 essential HR things you should check:

  • Employment contracts – are your employment contracts up to date and compliant with GDPR? In particular, if you are still using a contract that contains an employee’s consent to process their data, then it is probably time to update your template…

  • Employee/candidate privacy notices – do you have privacy notices setting out the necessary information such as what you collect, what you do with it and who you share it with?

  • Appropriate policy document – most employers will process special categories of data in one way or another (whether that is health/medical data, race/religion or sexual orientation) or criminal records data. This will most likely mean that you need to have an “appropriate policy document” which sets out how you comply with GDPR and how long you hang onto this sensitive data.

As well as the HR documents and policies, there are a bunch of other “corporate” data privacy documents you may need for your business, which also deal with HR data (as well as other data). We have a handy one-page “cheat sheet” which sets all of these out, explains what they are and when you need them – let us know if you would like a copy and we can send it over to you.

Note: this article is aimed at UK businesses, but if you are operating in other European countries, there are likely to be local law variations that you need to be aware of. If you’d like further guidance on this, let us know and we can point you in the right direction.

Further reading

If you are interested in knowing more, here are some other articles about GDPR which may be of interest:


If you have any queries about GDPR (or if you want to share details of your celebrations with us, we promise not to share them with any third parties) please get in touch with Darren Isaacs and Deborah Margolis or your usual Littler contact.