Preparing for GDPR – 7 key steps for employers 

May 17, 2018 10:48 am Published by Comments Off on Preparing for GDPR – 7 key steps for employers 

A Guest Blog by Sue West from West HR

sue westWith just over a week to go before GDPR (the General Data Protection Regulation) becomes law, here’s a useful guide to the initial actions employers need to take – helpfully broken down into 7 key steps by our HR partners at West HR

Businesses across the length and breadth of the UK are busy preparing for how GDPR affects their use and storage of customer data. But it’s crucial to remember that the definition of ‘personal data’ under GDPR also applies to all personal data held about your employees (and potential employees) in HR systems and files anywhere in your business.

It’s also important to understand that certain categories of ‘personal data’ are subject to even more strict rules regarding collection and processing. These ‘special’ categories include things like racial or ethnic origin, sexual orientation and health/medical information.

Here are 7 key steps for the initial actions you should be taking as an employer, to make sure your processes for collecting, storing and using your employee personal data don’t fall foul of the new GDPR regulations:

gdpr Conduct a data auditStep 1: Data Audit

Conduct a full data audit of what staff data you hold, where you store it, why you hold it, who has access, and how long you keep it for. This may be quite a challenge if you store your personnel records in different locations, but it’s a crucial first step because it will inform all the other documents and records you will need to demonstrate your compliance with GDPR. West HR can provide a template to give you hints and tips on where to look and what to capture.

gdpf remove as much duplication as possibleStep 2: Duplication

Your data audit will identify areas where you store the same employee personal information in more than one place. While some duplication of data is unavoidable to ensure the smooth running of your business, it’s important to understand that the more duplication there is, the harder it is to keep it up to date and delete it when it is no longer required. Speak to operational teams and other data users within your organisation to find ways to hold employee data in a shared location, so the information is only ever stored in one place, with secure and appropriate access by different teams and functions when needed.

gdpr write your privacy statementsStep 3: Privacy Statements

For employee data, you’ll need to write two different privacy statements – one for job applicants, and one for employees. Your privacy statement is a clear explanation to your data subjects (employees and job applicants) of what data you hold, why you hold it, what you will use if for, and how long you will keep it.

gdpr review your documentsStep 4: Document Review

Your existing employee documentation will need to be reviewed to remove all but a few references to consent and the outgoing Data Protection Act (1998). You’ll also need to look at any confidentiality, discipline and social media policies, updating them where necessary to reflect the new GDPR standards.

gdpr train your workforceStep 5: Staff Training

As an employer in the new world of GDPR, you’re not only responsible for your company’s systems and procedures, but also for the actions of your staff. All your employees will need overall GDPR awareness training – and any staff members who work with personal data will need more detailed specific training on what they need to do to comply with the new regulations.

gdpr Procedural ReviewStep 6: Procedural Review

Check when and how you are communicating your privacy notices to employees and job applicants – make sure that anyone who provides you with personal information knows why you are collecting it, what you will do with it, and how long it will be kept for. You also need to implement robust procedures for dealing with requests for data changes/updates, Subject Access Requests, and data breaches so you can respond appropriately within the new timescales set out in GDPR.

gdpf remove as much duplication as possibleStep 7: Deletion Procedure

An important part of GDPR is not keeping personal data for longer than it is needed. Job applicant details are generally deleted after 6 months, and employee details are normally only retained for 6 years after their employment ends. Make sure you have a robust process for deleting personal data in line with the new regulations – and include a regular audit of personal files to ensure you aren’t storing any information you no longer have a use for.

west hrFor more information about GDPR and how it affects your business, check out these other useful resources:

For one-to-one guidance and support with preparing your HR records and employee personal data for GDPR, contact West HR.

is your website gdpr ready

Is your website GDPR-ready?

April 4, 2018 2:21 pm Published by Comments Off on Is your website GDPR-ready?

You’ve no doubt heard lots about the new GDPR which is launching on 25 May.

As the main focus is on the way you source, store and share data, there are implications for your website so we’re here to make sure you’re fully prepared.

How GDPR affects your website

GDPR is all about consent. When you collect personal data on your site, you need to get permission to use it. People who use your website must understand how you plan to use their data, and give their consent.

So if you’ve got someone’s email address because they’ve placed an order with you, you can only market to them if they’ve actively agreed to this. Not just because they bought something from you once upon a time.

As this is all so new, the ramifications aren’t yet clear. Nobody has professed to be an expert at GDPR and there’s no one size fits all solution yet… believe us, we’ve checked!

5 key areas for GDPR compliance

To help you understand what it will mean for your website, we’ve put together a quick check list:

  1. Your documents are likely to need updating, starting with forms, privacy notices and cookies. All the small print. You’ll want to tell your visitors what sort of data you’re collecting and why. Take a look at our privacy notice to see how it’s changed.
  2. It’s also wise to make sure that any data submitted to your website is encrypted through a Secure Sockets Layer (SSL). This not only secures your website’s connection and protects personal data by making it unreadable, it can also boost your Google rankings. If you don’t already have this, talk to John about it. He knows exactly what to do to put this in place so that you have peace of mind about every transaction.
  3. Consent is a big part of GDPR. You’ll need to make sure all consent forms are unchecked by default and that’s it’s absolutely clear about what your visitors need to do to ‘opt in’. Keep these forms separate from your regular terms and conditions for optimum transparency.
  4. Under the GDPR, you’ll need to appoint a Data Protection Officer (DPO) if you are a public authority, or if you carry out certain types of processing activities. This role can be an existing employee or someone external. Make sure that their contact information is clearly listed on your site so that people can easily get in touch. There’s more about what’s required at
  5. Are you clear about the Right to be Forgotten? The GDPR states that “a data subject should have the two rights. The right to have his or her personal data erased. And no longer processed where the personal data is no longer necessary in relation to the purpose for which they are collected or otherwise processed.”
    As a result, your visitors can request to have all the data held about them deleted, including back up systems. According to research by Solix, 82% of organisations don’t know where their most sensitive personal data is stored… and only 55% maintain audit trails for data consents, collections updates, and deletion. It’s a bit of a risk for non-compliance. Therefore, getting to grips with what you need to do in bite size chunks makes a lot of sense.

Still unsure about the GDPR and your website?

If you’re not clear how all this will affect your website, don’t worry. It’s not too late…

We can help you and your website get ready for 25 May. Just give us a call on 0330 088 9277 or email

Signup to our Newsletter

Your privacy matters to us. We promise to keep your information safe and we’ll only get in touch with you according to your preferences.
You can read more about how we store and use data in our privacy notice.

It’s all about the results