Preparing for GDPR - an employer's toolkit
Systems
- identify all existing data systems and personal data processing, including that carried out by external providers (e.g. payroll). Consider using an Information Asset Register as a way to record the categories of data held, location and who it is shared with
- identify the purposes for which such data is processed and the legal basis for processing under the GDPR
- assess what automated decision-making (if any) you carry out and ensure that it is not solely automated
- ensure that systems are adequate so that employee data is kept secure, is updated and deleted when appropriate, and can be deleted or rectified on receipt of an employee request
- note new timeframes (“without delay” and within one month with potential extension for complex/numerous requests) for responding to Data Subject Access Requests and update internal procedures accordingly.