How to start preparing for the General Data Protection Regulation (GDPR)
NOTE: While this guide was aimed initially at employers beginning their preparations in advance of the GDPR coming into force in May 2018, it remains useful as an overview of the key GDPR concepts and requirements, and for those employers that are still working on their GDPR compliance plans.
Click on any of the hyperlinks to go to more detailed guidance below.
- Understand that the EU General Data Protection Regulation (2016/679 EU) (GDPR) significantly changes data protection law in the UK from 25 May 2018.
- Be aware of a new approach to data protection design under the GDPR, requiring organisations to embed privacy considerations in operational and strategic HR.
- Be aware of changes to obtaining consent to process employee data and a greater focus on the legal basis for processing data under the GDPR.
- Understand that there will be increased obligations under the GDPR to provide information to employees and job applicants about the processing of their personal data.
- Be aware of new record-keeping obligations for employers to demonstrate compliance with the GDPR requirements.
- Ensure that the organisation's board and senior management understand the potential exposure to fines and other sanctions under the GDPR, and obtain buy-in for GDPR compliance at a senior level across the organisation.
- Establish a GDPR compliance team with the necessary skills and experience to develop, implement and coordinate a compliance plan.
- Audit existing data processing activities across the organisation's employment lifecycle to identify high-risk areas.
- Develop a timeline to implement a GDPR compliance programme.