When the European Union (EU) General Data Protection Regulation (GDPR) comes into force on May 25, changes in data protection obligations will affect how employers handle sensitive information about employees. The Information Commissioners Office (ICO) will be able to impose substantial fines of up to 20m, or four percent of annual worldwide turnover. The processing of an employees personal data must comply with six data protection principles. It must be: processed lawfully, fairly and in a transparent manner; collected only for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary for the purpose for which it is collected; accurate and kept up to date; kept for no longer than is necessary; and kept securely. Information about an employees health will be considered special category data.