What Business Owners and Managers Need to Know in 2024

Published: 20th June 2024
Author: Matthew Chilcott, Owner – Consensus HR

As a business owner or manager, protecting your employees’ personal data isn’t just good practice—it’s a legal obligation.

Since 25 May 2018, the UK General Data Protection Regulation (UK GDPR) has replaced the previous Data Protection Act and applies to every organisation, regardless of size or sector. Whether you employ two people or two hundred, you must comply or face the risk of a substantial fine—up to €20 million or 4% of your company’s annual global turnover.

🔍 The UK GDPR & Data Protection Act 2018: A Quick Overview

The Data Protection Act 2018 (DPA) works alongside the UK GDPR to modernise the UK’s data protection laws. For employers, this means reviewing how your business handles personal data—particularly when it comes to employees, job applicants, and even former staff.

• Consent is key: You must have clear consent to collect or process employees’ personal information.
• Policies must be robust: Data protection policies should clearly explain what data is held, why it’s collected, and how it’s stored and deleted.
• Employees have rights: Individuals can make a Subject Access Request (SAR) to view the data you hold about them—and you must respond within 30 days.
• Health information is protected: You can only request medical information with the employee’s consent, as per the Access to Medical Reports Act 1988.
• Recruitment practices must be ethical: Be cautious when using candidate information found on social media. It must be relevant and the applicant should have the chance to respond.

✅ Key Responsibilities for Employers in 2024

Whether you’re managing a small team or running a growing enterprise, here’s what you need to do:

• Develop a clear data protection policy for all staff and management.
• Train your team on GDPR compliance and handling confidential data.
• Ensure all employee consent is documented and specific to each purpose.
• Be prepared to respond to subject access requests promptly and transparently.
• Limit data access to those who genuinely need it for operational reasons.
• Review third-party sharing policies and ensure legality before disclosing data externally.

🧩 Six Principles of GDPR You Must Follow

All businesses processing personal data must follow these six key principles:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality

💬 A Word from Matthew Chilcott – Owner, Consensus HR

“Too often, we see businesses assuming GDPR is only for large corporations or IT departments—but that’s simply not the case. Every employer is responsible for ensuring employee data is handled correctly. At Consensus HR, we work with our retained clients to implement clear, compliant policies and provide practical guidance tailored to their business. Whether it’s handling a Subject Access Request or training managers, we’re here to help you get it right—without the stress.”

🛠️ Practical HR Support for Your Business

If you’re unsure whether your data protection approach is compliant, now is the time to act. At Consensus HR, we offer:

• Fully compliant HR documentation
• Bespoke employee data protection policies
• Manager and team training on GDPR requirements
• Step-by-step help with employee requests and data handling

Let us take the guesswork out of GDPR compliance—so you can focus on running your business with confidence.

👉 Contact us today to learn more about our retained HR services and how we can help your business stay protected and prepared.

Tags: HR for Business Owners, GDPR Compliance, Data Protection UK, Employee Data, Subject Access Request, HR Policies, Employer Responsibilities, Small Business HR, HR Consultancy, UK GDPR 2024