1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Three months to go until GDPR comes into force: are you ready?

Has getting to grips with GDPR been lingering on your to-do list for the past year? With only three months to go until GDPR comes into force on 25 May, now is the time to push it to the top of your list.

Don’t panic if you have not yet started to prepare. Here are our top tips for getting your organisation ready:

  • Start with an audit of what data you hold and what you do with it. You can then consider what legal basis you have for processing the data. With the advent of GDPR, you should be moving away from the use of consent, which individuals are entitled to withdraw, to one of the other permitted bases for processing data. In the employment context, most data processing will be permitted as being required for performance of the employment contract or complying with a legal obligation. There is also a basis for processing where an organisation has “legitimate interests” to do so.
  • A new privacy notice will be needed to comply with GDPR. Consider having separate privacy notices for existing employees and for recruitment purposes. GDPR requires privacy notices to be concise, easily accessible and easy to understand. There is a significant list of mandatory information which needs to be included in a compliant notice.
  • If, like most employers, you have a data protection consent clause in your template employment contract, this should be removed from any new contracts being issued. You don’t need to issue fresh contracts to existing employees but you should let them know that you are no longer relying on consent and refer them to your new privacy notice.
  • Put in place a procedure for dealing with subject access requests – GDPR requires requests to be dealt with faster (within a month in all but exceptional cases) and without charging a £10 fee (except where a request is “manifestly unfounded or excessive”, in which case you can charge a “reasonable” fee). You should also have a procedure in place for dealing with any data breach and the new requirement to notify the Information Commissioner’s Office of such a breach.
  • Start training employees so that everyone is aware of their responsibilities.

Whilst GDPR brings with it the threats of significantly increased penalties for non-compliance, starting preparations now (if you have not already done so) will stand your organisation in good stead for the new regime. If you need support in tackling your preparations, please get in touch with a member of the team.

Three months to go until GDPR comes into force: are you ready?

Changes to Immigration Rules on continuous residence

In the latest round of changes to the Immigration Rules, two changes to the rules on continuous residence are likely to have a significant impact for many of those looking to secure indefinite leave to remain (ILR) in the UK.
Read more »
Changes to Immigration Rules on continuous residence

Gender pay gap developments

A steady trickle of gender pay gap reports are now being published as 2017 draws to a close, leaving just over three months until the 5 April 2018 deadline for publication.  However, analysis by the Financial Times suggests not all of the published results are accurate.  Meanwhile, the Government Equalities Office (GEO) has published a toolkit to assist employers in calculating and publishing their gender pay gap data and then taking action to remove any gap.
Read more »
Gender pay gap developments

Brexit update

As you will no doubt have seen in the news, progress has been made in phase one of the Brexit negotiations. We have prepared a summary of the position on citizens' rights; whilst it has been stressed that "nothing is agreed until everything is agreed", the lie of the land is starting to look a little clearer for those EEA nationals who are already in the UK.
Read more »
Brexit update

Data protection breaches: vicarious liability for employee’s criminal actions

WM Morrisons Supermarkets plc have been found vicariously liable for a data protection breach after an employee bearing a grudge deliberately published personal details of 100,000 of its employees on the internet.
Read more »
Data protection breaches: vicarious liability for employee’s criminal actions