GDPR will mean changes for company share plan administration

Out-Law Analysis | 20 Dec 2017 | 3:52 pm | 1 min. read

ANALYSIS: New EU-wide data protection rules which come into force on 25 May will change the basis on which companies can gather, store and process personal data. The new rules mean that many companies operating share plans for employees will need to take action to remain compliant.

The General Data Protection Regulation (GDPR) imposes stricter controls, which means that companies operating share plans will need to use a new basis for their data processing. While it would be convenient to operate this in tandem with payroll, this is not always possible.

Managers of share incentives may sit in HR, the company secretarial team or the finance department, or in some combination of those. They will need to review all stages of the share award process, just as HR will need to review all stages of the employment journey.

Until now companies very often relied on the consent of the data subjects as the basis for processing, but that will generally no longer be an appropriate lawful ground for at least most share plan data processing.

Issuers will need to look at other lawful grounds and implement appropriate processes, with third party service providers where relevant, to ensure compliance under GDPR.

It would be ideal to co-ordinate GDPR compliance planning for all employment and share plan needs, but because of the way share plans work this will not always be possible.

Employee share plans often operate on a group basis, using parent company shares and making awards to employees of several employers within a group. While HR may also be organised on a group basis to a degree, for share plans it is likely that much more will sit at the group rather than the employer level.

Share plans often involve third party service providers and these may differ from any engaged by the same group for employment purposes.

For employee shares and brokers dealing in shares on behalf of trustees and employees, the GDPR is likely to require the review and amendment of arrangements with all share plan service providers.

Another factor making it difficult to share the basis of data processing is that the parent company, subsidiaries and service providers may be based in different jurisdictions, some outside the EU.

It is also the case that a group may have several different share plans and arrangements and many outstanding share awards, some held by ex-employees, all requiring review and updating before 25 May 2018.

We anticipate many companies will need to amend share plan rules and issue communications to all new and existing share plan participants to be compliant with the GDPR.

Suzannah Crookes is a share plans specialist at Pinsent Masons, the law firm behind