Preparing for GDPR – 7 key steps for employers 

Published by Comments Off on Preparing for GDPR – 7 key steps for employers 

A Guest Blog by Sue West from West HR

sue westWith just over a week to go before GDPR (the General Data Protection Regulation) becomes law, here’s a useful guide to the initial actions employers need to take – helpfully broken down into 7 key steps by our HR partners at West HR

Businesses across the length and breadth of the UK are busy preparing for how GDPR affects their use and storage of customer data. But it’s crucial to remember that the definition of ‘personal data’ under GDPR also applies to all personal data held about your employees (and potential employees) in HR systems and files anywhere in your business.

It’s also important to understand that certain categories of ‘personal data’ are subject to even more strict rules regarding collection and processing. These ‘special’ categories include things like racial or ethnic origin, sexual orientation and health/medical information.

Here are 7 key steps for the initial actions you should be taking as an employer, to make sure your processes for collecting, storing and using your employee personal data don’t fall foul of the new GDPR regulations:

gdpr Conduct a data auditStep 1: Data Audit

Conduct a full data audit of what staff data you hold, where you store it, why you hold it, who has access, and how long you keep it for. This may be quite a challenge if you store your personnel records in different locations, but it’s a crucial first step because it will inform all the other documents and records you will need to demonstrate your compliance with GDPR. West HR can provide a template to give you hints and tips on where to look and what to capture.

gdpf remove as much duplication as possibleStep 2: Duplication

Your data audit will identify areas where you store the same employee personal information in more than one place. While some duplication of data is unavoidable to ensure the smooth running of your business, it’s important to understand that the more duplication there is, the harder it is to keep it up to date and delete it when it is no longer required. Speak to operational teams and other data users within your organisation to find ways to hold employee data in a shared location, so the information is only ever stored in one place, with secure and appropriate access by different teams and functions when needed.

gdpr write your privacy statementsStep 3: Privacy Statements

For employee data, you’ll need to write two different privacy statements – one for job applicants, and one for employees. Your privacy statement is a clear explanation to your data subjects (employees and job applicants) of what data you hold, why you hold it, what you will use if for, and how long you will keep it.

gdpr review your documentsStep 4: Document Review

Your existing employee documentation will need to be reviewed to remove all but a few references to consent and the outgoing Data Protection Act (1998). You’ll also need to look at any confidentiality, discipline and social media policies, updating them where necessary to reflect the new GDPR standards.

gdpr train your workforceStep 5: Staff Training

As an employer in the new world of GDPR, you’re not only responsible for your company’s systems and procedures, but also for the actions of your staff. All your employees will need overall GDPR awareness training – and any staff members who work with personal data will need more detailed specific training on what they need to do to comply with the new regulations.

gdpr Procedural ReviewStep 6: Procedural Review

Check when and how you are communicating your privacy notices to employees and job applicants – make sure that anyone who provides you with personal information knows why you are collecting it, what you will do with it, and how long it will be kept for. You also need to implement robust procedures for dealing with requests for data changes/updates, Subject Access Requests, and data breaches so you can respond appropriately within the new timescales set out in GDPR.

gdpf remove as much duplication as possibleStep 7: Deletion Procedure

An important part of GDPR is not keeping personal data for longer than it is needed. Job applicant details are generally deleted after 6 months, and employee details are normally only retained for 6 years after their employment ends. Make sure you have a robust process for deleting personal data in line with the new regulations – and include a regular audit of personal files to ensure you aren’t storing any information you no longer have a use for.

west hrFor more information about GDPR and how it affects your business, check out these other useful resources:

For one-to-one guidance and support with preparing your HR records and employee personal data for GDPR, contact West HR.

Signup to our Newsletter

Your privacy matters to us. We promise to keep your information safe and we’ll only get in touch with you according to your preferences.
You can read more about how we store and use data in our privacy notice.

It’s all about the results