Preparing for GDPR - an employer's toolkit


  • identify all existing data systems and personal data processing, including that carried out by external providers (e.g. payroll). Consider using an Information Asset Register as a way to record the categories of data held, location and who it is shared with
  • identify the purposes for which such data is processed and the legal basis for processing under the GDPR
  • assess what automated decision-making (if any) you carry out and ensure that it is not solely automated
  • ensure that systems are adequate so that employee data is kept secure, is updated and deleted when appropriate, and can be deleted or rectified on receipt of an employee request
  • note new timeframes (“without delay” and within one month with potential extension for complex/numerous requests) for responding to Data Subject Access Requests and update internal procedures accordingly.
08 Dec 2017
"Man typing on laptop.

Contracts and policies

  • review recruitment documentation and employment and other personnel contracts, particularly consent provisions. Where consent can still be relied upon, prepare a separate consent form
  • update your Data Protection Policy to include details of:
    • the purposes for which data is processed
    • the legal bases for processing - including an explanation of the legitimate interests you are relying on as an employer (e.g. ensuring employees comply with their contractual obligations)
    • data retention periods
    • employees' rights of access, erasure, rectification, objection and portability
    • employees' rights to withdraw consent to processing and to complain to the Information Commissioner
    • details of any automated processing
  • establish a policy and procedures for handling data breaches to ensure compliance with the 72 hour notification requirement
  • establish procedures for dealing with employee requests for deletion or rectification of data including considering which legitimate interests may apply.

Resources and personnel

  • assess whether you will need to appoint a Data Protection Officer and, if so, who
  • allocate appropriate resources to prepare for the necessary changes. In particular, identify who will take overall responsibility for implementation
  • train staff on data protection responsibilities and how they are affected in their jobs.


Our lawyers are experts in their fields. Through commentary and analysis, we give you insights into the pressures impacting business today.