The ICO’s has published it's “12 steps to take now” guidance. This sets out the following areas that businesses need to consider before the regulations come into force on the 25th of May 2018:

  • Awareness – let the relevant people in your organisation know that the law is changing
  • Information audit – check what data you hold and who you share it with
  • Privacy information – check your current privacy notices and make a plan for change
  • Individuals’ rights – check how you currently comply with individuals’ rights e.g. complying with a subject access request or deleting personal data
  • Subject access requests – plan how you will make changes to the process when the new law is here
  • Lawful basis – check you have a lawful basis for processing data. Employers who process data for employment purposes are likely to be able to rely on the lawful basis of “performance of a contract” for most data processing, but potentially not all processing
  • Consent – review how you obtain consent for processing data
  • Children – reviewing procedures for verifying ages and obtaining parental/guardian consent (not likely to have a great impact on the area of employment)
  • Data breaches – review how you would notify a breach
  • Impact assessments – consider how to implement data protection impact assessments
  • Data Protection Officer – do you need a DPO? Who will ensure your compliance with GDPR?
  • International – If you operate in more than one member state, determine a lead data protection supervisory authority.

Source: ICO

Related articles

Data Subject Rights

Breaches of Data & Fines

FREE employment law advice for businesses

Request your free call back now to speak to our HR experts. Get your employment law questions answered today.

Enjoying our posts?

Take a look at our latest article on The New Workforce

Request a demo

If you are an existing customer please call 0800 783 2806 or email