Preparing for GDPR – an employer's toolkit Systems • Identify all existing data systems and personal data processing, including that carried out by external providers (e.g. payroll). Consider using an Information Asset Register as a way to record the categories of data held, location and who it is shared with. • Identify the purposes for which such data is processed and the legal basis for processing under the GDPR. • Assess what automated decision-making (if any) you carry out and ensure that it is not solely automated. • Ensure that systems are adequate so that employee data is kept secure, is updated and deleted when appropriate, and can be deleted or rectified on receipt of an employee request. • Note new timeframes (“without delay” and within one month with potential extension for complex/numerous requests) for responding to Data Subject Access Requests and update internal procedures accordingly.
Contracts and policies • Review recruitment documentation and employment and other personnel contracts, particularly consent provisions. Where consent can still be relied upon, prepare a separate consent form. • Update your Data Protection Policy to include details of: • the purposes for which data is processed • the legal bases for processing - including an explanation of the legitimate interests you are relying on as an employer (e.g. ensuring employees comply with their contractual obligations) • data retention periods • employees' rights of access, erasure, rectification, objection and portability • employees' rights to withdraw consent to processing and to complain to the Information Commissioner • details of any automated processing. • Establish a policy and procedures for handling data breaches to ensure compliance with the 72 hour notification requirement. • Establish procedures for dealing with employee requests for deletion or rectification of data including considering which legitimate interests may apply.
Resources and personnel • Assess whether you will need to appoint a Data Protection Officer and, if so, who. • Allocate appropriate resources to prepare for the necessary changes. In particular, identify who will take overall responsibility for implementation. • Train staff on data protection responsibilities and how they are affected in their jobs.