You should by now be well on your way to ensuring that you are able to show compliance with the General Data Protection Regulation (GDPR), which applies from 25 May 2018. But, have you considered what impact GDPR will have on your share plans and whether you need to do anything before 25th May 2018?

If you haven't started thinking about this, you should.

It is likely your share plan documentation provides that by participating in the share plan, a participant consents to his data being processed and transferred in connection with the share plan. Typically, the consent language will extend to the company granting the share options/awards (together with any group companies) and any third parties involved in the share plan arrangement such as trustees of employee benefit trusts and/or administrators.

From 25 May consent will, in most cases, no longer be the most appropriate ground for processing data for various reasons. First, consent is arguably not validly given, because of the imbalance of power between employees and employers. Secondly, it can be withdrawn by the participant at any time and, were that to happen, it would leave companies operating these plans in a difficult position when it comes to the vesting/exercise of the option or award.

So what do you need to do?

Assuming that you're already taking stock of your current data protection practices, you should consider how your share plans fit in to that exercise:

  • Look at your existing share plan documentation to see what it says about data transfer and processing.
  • With respect to existing awards, if data processing and transfer relies on the consent of the participant, consider what steps you need to take to clarify that data will be processed on other grounds such as pursuing the legitimate interests of the company operating the share plan/group.
  • With respect to future awards, consider changing your share plan documentation to make clear at the outset the grounds on which you are relying.
  • Consider what language you need to include in your privacy notice specifically to deal with share plan participation. This will depend on whether you use a third party to administer your share plans and/or you have an employee benefit trust to whom data is transferred.
  • Consider what arrangements you need to have between the administrator and/or trustee and the company operating the share plan to ensure that any data processing is undertaken in a way that is compliant with GDPR.

We can help you ensure that the processes you have in place to operate your share plans are GDPR complaint. Remember the deadline is 25 May 2018.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.