GDPR is effective from 25th May 2018. We’ve all sorted our marketing – haven’t you? But what about your staff? We’ve all been bombarded with emails begging us to opt in and hopefully we’ve all cleaned up our databases? But what about employment contracts and staff handbooks?

This week’s guest, Henry Doswell of Doswell Law, is offering a free GDPR Complaint Data Protection Policy for staff. All you need to do to get it is email him at or tweet him @DoswellLaw.

Check out Henry’s recent article on GDPR:

There is still plenty of time to be ready for the GDPR. Here are 10 practical steps to take now…
1. Raise awareness and get buy-in from the top
Planning takes time and money. You need buy-in from the top, so you have the necessary resources to be on track for the new laws come into force. Its also important to understand who is responsible for delivering GDPR compliance in your business. You are likely to need assistance from the IT department to finalise any data security or privacy notices. If you are behind on her planning don’t worry, keep going. The ICO is likely to be much tougher on businesses that have done nothing to get ready for the GDPR than those who have taken steps and are still refining plans.

2. Complete a data audit
You need to work out what personal data you currently control and/or process and where exactly that data goes and what is done with it. You should have clear answers to at least the following questions: How is it collected? What happens to the information after you have collected it? Is it disposed of after a decision has been made or is it held in your systems or in the employee’s file? How secure is the data? Would you be able to detect a security breach? How and when is data disposed of?

3. Analyse the reasons that particular data is obtained currently
For example, do you currently collect and hold data for payroll purposes? Is it held for contacting family in an emergency? Or for carrying out your contracts or in case of legal action? Let’s take sickness records for the purposes of recording sick leave and giving sick pay. How long do you hold that data for? Do you have a system for deleting the data at say the end of the year? Does the reason you hold data change if you have been notified of an employee’s disability to comply with your duty to make reasonable adjustments? Are you relying on a blanket consent hidden in an employment contract or other documents and is it still relevant? You should go through a careful thought process for each category of data.

4. Consider which legal basis you will rely on for processing and remember the data protection principles.
Which of the reasons you will you rely on to process the data now? It is now very risky to rely on consent for most things. Remember the grounds to rely on are: consent of the data subject; necessary for the performance of a contract with the data subject; necessary for compliance with a legal obligation; necessary to protect vital interests of a data subject or someone else; if it is in the public’s interest; or if it is necessary for the purposes of legitimate interests.

5. Review and update your employment contracts and policies
You will no longer be able to rely on standard blanket consents in an employment contract and they should be removed. This will be easy enough for new staff but remember for existing staff you may need to consider undertaking a consultation process. They may include informing staff that as an employer you will no longer be relying on consent in their contract and will be relying on one of the other grounds, which you need to specify. You will also need to update any staff handbook and put in place new employment policies. At the very least you will need a new data protection policy or privacy notice which guides staff in how to comply with the GDPR. These policies will form important evidence of your compliance.

6. Check and update your internal processes
You need to allocate someone the responsibility to make sure all of the necessary processes are in place in relation to how you collect and use data so that you comply with the new laws. That person needs to familiarise themselves with the relevant ICO guidance as a minimum. You should have processes to ensure that staff can use their new rights easily and have a process for detecting security breaches.

7. Review and update your external contracts and processes
Where you share personal data with third party service providers, the business should ensure that any contract with these ‘data processors’ set out clearly the data obligations and contractual consequences of any breach. This could include contracts with IT cloud contractors, benefit providers (including occupational pension schemes) and outsourced payroll providers. You will also need to have a system in place to deal with requests from employees to share their data with third parties.

8. Identify who is responsible for data protection compliance
You may need to recruit or allocate an existing employee the task of monitoring compliance with the GDPR. You are unlikely to need a specific data protection officer or DPO but you may want a dedicated data manager or team.

9. Training
You must ensure that anyone responsible for compliance with the GDPR has adequate training, resources, and help. If you fail to support those responsible you may fail to comply with the new laws and may even face increased levels of sickness absences and connected tribunal claims.

10. Stay compliant
It’s important that you keep your policies and processes under review to ensure that the business remains compliant in the future. You should undertake at least an annual audit of how data is processed, and regular training as new employees join or change roles. Those responsible for compliance should regularly check the latest guidance from the ICO website at

Tune in at 1pm on Friday at