GDPR and share schemes – should you care?

  • Posted

Many employers are considering how they use their customers’ data but are not making adjustments for their employees. But, as we explain below employers do have to make any share plan GDPR compliant and are at risk for not doing so.  New or existing unapproved options, EMI plans or growth shares will all be impacted.

We can help bring any share plan into line with GDPR.  Please do get in touch to discuss as we are happy to provide an indication of what needs doing and estimated fees.

Who does GDPR apply to?

The GDPR applies to ‘controllers’ and ‘processors’ of personal data (any information relating to an identifiable person that can be used directly or indirectly to identify that person).

Who are controllers?

A controller decides how and why the personal data is processed – all contracts with processors must comply with GDPR guidelines.

Who are processors?

A processor carries out the processing of the personal data in accordance with the controller’s instructions – this places the processor under specific legal obligations.

Does your business need to be GDPR-compliant?

GDPR will therefore apply to all businesses and organisations operating within the EU and non-EU organisations that offer goods or services to individuals or companies in the EU.

In the context of employee share schemes, an employer who is responsible for administering their scheme may qualify as either a controller or processor for the purposes of GDPR – which category they fall into will depend on the company and its arrangements. We have the expertise to determine this for you.

What are the main data protection issues GDPR raises for share schemes?

There are key areas of change that all companies operating share plans should consider.


Under current data protection legislation it is sufficient for an employer to rely on the consent (implicit or explicit) of employees to the processing of their personal data for the purposes of operating the company’s share plans. Following the implementation of the GDPR this may no longer constitute value legal consent. So, from 25 May 2018 companies will need to rely on another legal basis to allow them to hold and process their employees’ personal data.

Employees will also now be able to withdraw their consent to the company’s use of their personal data at any time. This right must be highlighted to the employees, which means that the consent statement commonly included in share award agreements is no longer going to be sufficient for dealing with the personal data of your employees.

However, there are limited circumstances under the new data protection regulations in which it may be appropriate to deal with your employees’ personal data. We can find one to fit your plans.

Data privacy notices

As data subjects, share plan participants must be sent a data privacy notice. This must include key information such as the identity and contact details of the data controller; details of the data protection officer; the purpose of the data processing; and the period of storage.

Certain information must also be provided to employees where their personal data has been obtained indirectly, such as via payroll.

Data security and reporting obligations

We can review your share plans to ensure they meet the new, stricter rules on data security. In order to minimise the impact of the GDPR on your business, we can establish clear processes for you to deal with any instances of breach. We will work with you to create policies that fit your business and the way you operate.

What should companies with share schemes do now?

Data review

What is being collected and how? Where is it being stored? Why is it being held? These are important questions that determine whether your company is compliant with the new regulations. We can help you answer them.

New and existing share plans

GDPR-compliant wording and reference to a data privacy notice must be included into the share plan rules, all award agreements and any communications to your employees. We can amend and update these.

Privacy impact assessments

If you hold or process sensitive personal data or engage in profiling employees (current or prospective) you should consider a PIA. We can guide you through this.

The impact of GDPR will depend on the individual circumstances of the company and how the share plan is operated. We have wide-ranging experience in assisting companies with share plans and we are always happy to talk through the implications of GDPR for your business.