3 tips for employers on staying GDPR compliant

3 min read  |   11 January, 2018   By Melissa Jones

Storage room full of paper files in a warehouse

The way we manage data has changed beyond all recognition in the last few years with many businesses switching to computers, online and cloud-based services. However, the laws governing how that data is managed hasn’t kept up with the technological changes. And that will all change when the General Data Protection Regulation (GDPR) comes into play on 25th May 2018.

The introduction of GDPR will mean that employers will need to be much more mindful of how they collect, store and manage the data of their employees. Here are three proactive tips for employers on what they can do to ensure they are GDPR compliant.

Appoint a data protection officer

Under GDPR you must appoint a data protection officer (DPO) if:

  • You’re a public body
  • Carry out large-scale or systematic monitoring of individuals
  • Carry out large scale monitoring of specific categories or data relating to criminal convictions and offences.

Whether you are obliged to or not, it is encouraged to appoint a data protection officer so that you have someone dedicated to managing your data processes. As a small business this probably doesn’t require a full time position. It can be an existing employee, provided their DPO role doesn’t conflict with existing duties or you can appoint someone into a standalone role depending on the size of your organisation.

If you do appoint someone, however, even if you don’t need to, you will then be obliged to comply with the legal requirements of GDPR. If you decide to appoint an officer, they must:

  • Be located in the EU
  • Have expert knowledge of data protection law and be able to carry out the tasks as set out in GDPR
  • Have experience commensurate with the sensitivity, complexity and amount of data they process.
  • They must be sufficiently senior in your organisation but also be able to carry out their duties independently and not be directed by senior management.
  • Your organisation remains responsible for data protection not the DPO

Complete a data audit

It’s good practice to review regularly what information you hold on your employees and what data you work with in general.

  • Establish what you have – List all the different types of data assets you have such as CRM software or HR software. Include both computer and paper files you keep on your employees.
  • Make sure you know where it all is – Once you have worked out exactly what you have you need to make sure you know where it all is and how it is accessed. If you’re using HR software for example, who has access to this, how is data inputted and could there be any data that isn’t yet stored on it such as on another employee’s email when they’re looking for potential recruits?
  • Talk to your team - To find out exactly where and how your data is processed and stored you’ll need to speak to the key players in your organisation. Obviously the fewer people there are the easier this will be.
  • Track - Track how the data is being used – is there data you are storing unnecessarily? Is there data that needs to be deleted?

Review how data is collected and used

It is important to keep track of how your data is collected and used – do you have a paper-based system organised in a filing cabinet for your employee personnel files? Are you using manual employee electronic records such as word documents or spreadsheets or have you moved to an HR software which often allow employee self-service? Do you store this data on a local internal system or do you rely on cloud-based services?

Make sure the data you collect is relevant to your business. For example, storing records about employees’ work history is a legitimate use of data but storing information about what they like to eat and their favourite colour could be classed as unnecessary unless you can prove it is relevant to your business.

Also, make sure you know what processes are being used, how the data is handled, that it is handled securely and review your policies regularly.

You may well already have a data protection or privacy policy, but under GDPR you’ll have to make sure it is more detailed and contains certain information including how long data will be stored, information on the right to make a subject access request and information on the right to have personal data deleted. So it is important to make sure you have a process in place to ensure you’re compliant with the new regulation when it comes into force.

New call-to-action


Author: Melissa Jones

Mel is the Content Manager at breatheHR. She regularly contributes insights into the current small business climate with a focus on how HR is crucial to the success and growth of UK startups.

Back to listing

Sign up to get the latest HR and people management insights straight to your inbox