The new General Data Protection Regulations (GDPR) come into force on 25th May 2018 – Are you ready? Read these 6 Steps to ensure you are GDPR compliant from a HR perspective

The new GDPR regulations replace the Data Protection Act 1998 and places more emphasis on being accountable and transparent about your reasons for processing employee data.

The most significant change is the increased sanctions for breaches. Breaches of the GDPR may be subject to fines of up to €20M, or 4% of global annual turnover, whichever is the greater. Companies must be able to demonstrate their compliance to regulators – in the UK’s case, the Information Commissioner’s Office (ICO) – on an ongoing basis and to maintain records, and individuals will have significantly increased rights to access their personal data.


  • Step 1: You will need to audit all of the personal information you hold on your employees
    You must go through all of the data you hold on your employees and identify the lawful basis for retention, where it is held and how long it is being held for.


  • Step 2: Employee Contracts & Consent
    Existing contracts are not required to be changed. However, you will need to obtain separate consent not related to the acceptance of employment and new contracts going forward will need to be updated to reflect the new regulations.


  • Step 3: You must notify your employees
    Your employees must be notified of the changes in the law. You need to inform them the law on data protection is changing and what this means for them.


  • Step 4: Managing Personal Data going forward
    It is recommended to consider appointing a Data Protection Officer (DPO) or Privacy Officer to manage the process going forward. You may also have to maintain a Data Register of your data to remain compliant. Organisations using third parties, such as payroll providers, external HR resource providers and recruitment agencies to process employee data will also be responsible for ensuring the third party is GDPR compliant.


  • Step 5: Subject Access Requests (SARs)
    The new regulations give employees the right to request access to their information. Employers need to be prepared for how to handle such requests in a timely manner and be aware of SARs being used to obtain information which may be useful tribunal claims.


  • Step 6: Breaches
    Organisations will be required to report data breaches to the ICO in all but the most trivial cases, unlike the current approach. Employers may also be required to inform data subjects affected by the breach


If you need further assistance to prepare for GDPR or to ensure you are compliant we are here to help – Contact Us.