Health, Safety & Environment Consultants

GDPR and Health and Safety


The General Data Protection Regulations (GDPR) are coming into force on 25 May 2018. Are you ready?

GDPR will replace the existing Data Protection Act (DPA) and will affect all businesses in the UK. It is intended that there will be one set of regulations regarding data protection across the EU. Despite the UK leaving the EU it is not anticipated that this will affect the requirements of GDPR.

GDPR requires businesses to have a GDPR policy in place and measures to control data flow both internally (within an organisation) and externally. This is as simple as:

  1. This is the documentation I have.
  2. This is why I keep it.
  3. This is what I do with it.
  4. This is how I protect it.

There are two roles defined within GDPR which will affect nearly all organisations:

  1. Data Controller – determines the purposes and means of processing personal data.
  2. Data Processor – responsible for processing personal data on behalf of a controller.

A third role which may affect your organisation is the Data Protection Officer (DPO). A DPO is required for businesses with >250 employees. This includes anyone else you require within your business who provides services. It is also required if you hold significant data and for public authorities. Significant data will include private companies who hold information such as medical and health surveillance records. It is imperative that the DPO must have no access to data, so this means they must not use or process it in any way.

So how does GDPR affect health and safety data and what kind of health and safety data is affected? GDPR places a requirement on organisations to control certain health and safety data stored by employees, such as:

  • Complaints regarding health and safety where the worker has identified themselves.
  • Occupational health monitoring records.
  • Training records.
  • Accident report witness statements.
  • Accident and Incident information such as accident book information, RIDDOR reports and incident investigation reports.
  • Insurance claims reports.
  • Risk assessments containing sensitive information such as physical or mental health

It is important to note that individuals also have a right to access of any data you hold on them. This must be provided free of charge and within one month of receipt of a request.

More information on GDPR can be found on the ICO website.

Don’t let GDPR catch you out. Compliance is simple. Get prepared today.

If you need help with assessing your GDPR requirements with regards to health and safety, or with any part of your health, safety and environment management system, contact us to find out how we can help you: or 01843 6399711.

Back To All