• HR to work with legal, compliance, IT and commercial/operations teams
• Identify what personal data you hold about employees and candidates (and where it came from)
• Identify all the ways in which you process personal data and the purposes of the processing
• Verify how long you currently retain the personal data and how long you need to keep the personal data for the purpose for which it is collected
• Identify any parties to whom you transfer personal data, including any international data transfers, for example, payroll and benefits providers and other group entities
• Review any associated contracts
• Audit current HR processes for compliance with the principles of “data protection by design” and “data protection by default”
• Identify any automated decision-making within HR processes, for example, in recruitment (automated rejection and short-listing), triggers for sickness absence or disciplinary action, attendance bonuses, shift and holiday rostering, and employee monitoring
• Ensure the audit is properly documented

• This will likely be employee consent, possibly obtained via a clause in the employment contract
• Confirm current basis for processing “sensitive personal data” (including details of criminal convictions and offences)

Schedule 3, DPA 1998 (sensitive personal data)

One of the following must apply:

• The employee gives valid consent (although consent will not be valid where there is a clear imbalance between the data subject and data controller, such as in an employment context)
• Necessary to carry out the employment contract
• Necessary for the employer to comply with a legal obligation
• Necessary to protect the vital interests of the employee or another person
• Necessary in the public interest or if the employer is exercising official authority
• Necessary for a legitimate interest of the employer or a third party which is not overridden by the interests or fundamental rights and freedoms of the employee

Recitals 32, 42 and 43 and Article 7, GDPR (consent)

• Valid explicit employee consent
• Necessary for carrying out employment rights and obligations, it is authorised by domestic or EU law and the employer has an appropriate policy document in place
• Necessary to protect the vital interests of the employee or another person where the employee is incapable of giving consent
• Processing by a foundation, association or not-for-profit with a political, philosophical, religious or trade union aim
• If the employee has made the personal data public
• Necessary for the employer to establish or defend legal claims
• Necessary for reasons of substantial public interest (including the processing of personal data revealing race, religious beliefs, health or sexual orientation for the purposes of promoting equality of treatment, and including processing necessary to determine eligibility for or benefits payable under an occupational pension scheme which can reasonably be carried out without the employee’s consent), and the employer has an appropriate policy document in place
• Necessary for the assessment of the employee’s working capacity either on the basis of domestic or EU law or pursuant to a contract with a health professional, and subject to confidentiality safeguards

Recitals 32, 42 and 43 and Article 7, GDPR (consent)

Section 10; paragraphs Parts 1, 2 and 4, Schedule 1, DPA 2018

• Necessary for carrying out employment rights and obligations and the employer has an appropriate policy document in place
• Valid employee consent (although consent will not be valid where there is a clear imbalance between the data subject and data controller, such as in an employment context)
• Necessary to protect the vital interests of the employee or another person where the employee is incapable of giving consent
• Processing by a foundation, association or not-for-profit with a political, philosophical, religious or trade union aim
• If the employee has made the personal data public
• Necessary for the employer to establish or defend legal claims

Recitals 32, 42 and 43 and Article 7, GDPR (consent)

Section 10; Parts 1, 2, 3 and 4, Schedule 1, DPA 2018

• Update data retention policy based on results of audit and apply it
• Securely delete or de-personalise all employee personal data where there is no lawful basis for the processing under GDPR

• For example, procedures relating to recruitment, promotions, compensation, disciplinary, grievances, performance management, sickness absence, employee monitoring and references
• Update data protection policy
• Update all policies and procedures to comply with the principles of:
• ”Data protection by design”: are the data protection principles taken into account in the design and operation of the policy/process? Are any necessary safeguards fully integrated?
• ”Data protection by default”: are there mechanisms in place to ensure that only the personal data necessary for each specific purpose is processed, including the amount of personal data collected, the extent of processing, the period of retention and the accessibility of the personal data?
• Conduct a data protection impact assessment (DPIA) if required
• Notify employees of changes to policies/handbook

Article 35, GDPR (DPIA)

• Identify the lawful basis allowing you to take decisions that significantly affect an employee based on automated processing:
• Necessary to carry out the employment contract
• The employer notifies the employee in writing of a decision based on automated processing and allows the employee the right to request a reconsideration within 21 days
• Valid explicit employee consent
• Ensure that suitable measures to safeguard the employee’s rights and freedoms and legitimate interests are in place, including the right to obtain human intervention, the right to express the employee’s point of view and the right to appeal any automated decision
• Automated decision-making on the basis of special categories of personal data must be permitted by valid, explicit employee consent or in the substantial public interest, with suitable measures to safeguard the employee’s rights and freedoms and legitimate interests

Article 22, GDPR

Article 13(f), GDPR (obligation to notify employee)

Section 14, DPA 2018

• Identify lawful basis for all data transfers, including in particular any cross-border data transfers
• Update all contracts with service providers to ensure they contain the mandatory protections
• Update procedures so that GDPR compliance forms part of due diligence when entering into a new contract with an HR supplier

Article 28, GDPR (contracts with processors)

Chapter V, GDPR

• Whatever the lawful basis for processing, prepare privacy notice to notify employees of mandatory information in clear and plain language within required timeframe
• Ensure that procedures are updated so that the mandatory transparency information is notified to employees and candidates when required as future personal data is collected or when the purpose of processing changes

Article 13, GDPR (information to be provided when personal data collected)

Article 14, GDPR (information to be provided when the personal data has not been collected from the employee)

Paragraphs 19 and 24, Schedule 2, DPA 2018 (disclosing legally privileged information and confidential references)

• Update SAR policy and procedures: new timeline, free of charge unless request is manifestly unfounded or excessive, new information requirements
• Arrange updated training for all staff who handle SARs

Article 15, GDPR

Paragraph 16, Schedule 2, DPA 2018 (protection of the rights of others: general)

Paragraphs 19 and 24, Schedule 2, DPA 2018 (disclosing legally privileged information and confidential references)

• Establish procedures for dealing with the withdrawal of employee consent to processing
• Establish procedures for dealing with employees’ rights to rectification, erasure (”right to be forgotten”), restriction of processing and data portability
• Establish procedures for dealing with employees’ right to object to the processing of personal data

Article 12, GDPR (timeframe for response and fee)

Article 16, GDPR (rectification)

Article 17, GDPR (erasure)

Article 18, GDPR (restriction of processing)

Article 19, GDPR (obligation to notify new parties)

Article 20, GDPR (data portability)

Article 21, GDPR (right to object to processing)

• Establish process for notifying candidates of how their personal data is processed and the lawful basis for doing so
• Prepare candidate privacy notice

Article 13, GDPR (information to be provided when personal data collected)

Article 14, GDPR (information to be provided when the personal data has not been collected from the employee)

• Establish whether you are required to appoint a DPO
• If so, appoint a DPO, scope the role in accordance with GDPR requirements and provide them with the necessary training and resources
• If a DPO is not mandatory, consider designating a senior individual as having responsibility for data protection

• Can the employer demonstrate compliance with the GDPR in all the above respects?
• Does the employer keep all mandatory records and can it show them to the ICO upon request?

Article 30, GDPR (records)

• Arrange updated training for all staff who handle personal data

• Ensure that all arrangements and privacy notice are subject to regular review for continued compliance
• Ensure any policy document relating to the processing of special categories of personal data or criminal convictions is subject to regular review and updated where appropriate