General Data Protection Regulation: resource round-up

The General Data Protection Regulation (GDPR) is now in force in the UK (from 25 May 2018). The aim of the GDPR is to establish a modern and harmonised data protection framework across the EU. The new framework imposes strict duties on employers in relation to the processing of personal data, with potentially very large fines for a breach of the rules (up to €20 million, or 4% of the organisation's total worldwide annual turnover if higher). The Data Protection Act 2018, which largely came into force on 25 May 2018, supplements the GDPR in the UK in certain areas.

Compliance with the GDPR is not affected by Brexit. As an EU regulation, the GDPR applies automatically in the UK during the transition period that is in place following the UK's exit from the EU on 31 January 2020. The GDPR will apply after the end of the transition period on 31 December 2020, when it will be incorporated into UK law.

Our range of resources can help you with your compliance work. We have model documents (such as an Employee privacy notice and Job applicant privacy notice), and practical guidance (see for example How to determine the legal grounds for processing employee data under the GDPR).

Look at ...

... our Employment law manual, which explains the law on data protection under the GDPR. The guidance describes the rules under the new framework, including those relating to the legal grounds for processing personal data, provision of privacy notices, dealing with special categories of personal data and data subject rights.

Below we list our new GDPR-compliant model policies and documents as well as our other GDPR resources.

GDPR-compliant policies and documents

Privacy notices

Subject access requests

Rectification of personal data

Erasure of personal data

Other GDPR resources

The basics

Processing activities

Third-party processing

Data retention and erasure

Subject access rights

Special categories of personal data