Three months to go until GDPR comes into force: are you ready?

Has getting to grips with GDPR been lingering on your to-do list for the past year? With only three months to go until GDPR comes into force on 25 May, now is the time to push it to the top of your list.
Don’t panic if you have not yet started to prepare. Here are our top tips for getting your organisation ready:

  • Start with an audit of what data you hold and what you do with it. You can then consider what legal basis you have for processing the data. With the advent of GDPR, you should be moving away from the use of consent, which individuals are entitled to withdraw, to one of the other permitted bases for processing data. In the employment context, most data processing will be permitted as being required for performance of the employment contract or complying with a legal obligation. There is also a basis for processing where an organisation has “legitimate interests” to do so.
  • A new privacy notice will be needed to comply with GDPR. Consider having separate privacy notices for existing employees and for recruitment purposes. GDPR requires privacy notices to be concise, easily accessible and easy to understand. There is a significant list of mandatory information which needs to be included in a compliant notice.
  • If, like most employers, you have a data protection consent clause in your template employment contract, this should be removed from any new contracts being issued. You don’t need to issue fresh contracts to existing employees but you should let them know that you are no longer relying on consent and refer them to your new privacy notice.
  • Put in place a procedure for dealing with subject access requests – GDPR requires requests to be dealt with faster (within a month in all but exceptional cases) and without charging a £10 fee (except where a request is “manifestly unfounded or excessive”, in which case you can charge a “reasonable” fee). You should also have a procedure in place for dealing with any data breach and the new requirement to notify the Information Commissioner’s Office of such a breach.
  • Start training employees so that everyone is aware of their responsibilities.

Whilst GDPR brings with it the threats of significantly increased penalties for non-compliance, starting preparations now (if you have not already done so) will stand your organisation in good stead for the new regime. If you need support in tackling your preparations, please get in touch with a member of the team.

Laura Morrison

About Laura Morrison

Laura is a managing practice development lawyer based in Dentons' Edinburgh office, supporting the People, Reward and Mobility practice across the UK. She has more than 14 years' experience as an employment lawyer. Laura's responsibilities focus on supporting our fee earners through a variety of knowledge initiatives, from internal and external training to the development of innovative methods for service delivery.

Full bio