Although 25 May 2018 had garnered an almost sacred status in the calendars of employers, the inconvenient truth is that GDPR compliance does not end on this date and will require a concerted ongoing effort to be maintained. The ICO has stated that GDPR compliance should be viewed as an evolutionary process for organisations, with 25 May simply being the date the legislation took effect. The ICO warned that no business stands still and organisations will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.

As a reminder, from an HR perspective, the following steps should ideally have been taken prior to 25 May:

  • Information audit: you have carried out an audit of the information you hold in order to identify the personal data and what you do with it.
  • Lawful grounds: in respect of each piece of personal data, you should have identified the legal basis for processing. As a reminder, there is a move away from relying on consent in the context of an employment relationship, since consent is only valid if it is "freely given".
  • Privacy notices: you should have prepared and communicated GDPR compliance privacy notices to your employees, contractors and prospective recruits.
  • Contracts: you should have either reviewed and updated your data protection consent clause in your standard form employment contract, or otherwise notified the workforce that you will not be relying on such consent going forward.

If you have not yet had an opportunity to carry out the steps above, it is strongly recommended that you action these as soon as possible so that you can demonstrate to the ICO that you are taking a proactive approach to compliance.

Of course, even if the steps set out above have been achieved, this is not the end of the story. The ICO expects employers to continue to take proactive steps to maintain and improve their data protection position going forward.

Key to this is education and training of staff at all levels of the business. You should consider rolling out formal training for the business' senior decision-makers to educate them about the GDPR's new risk-based compliance approach, the new requirement of data protection by design and default and the potential impact of non-compliance, including the GDPR's significantly expanded monetary sanctions for compliance violations (up to EUR 20 million or 4% of annual global revenue for serious breaches). However, training on GDPR should not be limited to senior staff. It is likely that almost all staff in your business will have access to personal data at some point during their employment with you. As a business, you should regularly train staff to recognise personal data, understand how to keep it secure and recognise when a data subject is enforcing their rights or, crucially, what steps they need to take in the event of a data breach.

Robust policies and procedures are also essential. It is important to review and update existing data protection policies, including any IT security and data retention policies, as well as putting in place procedures or guidelines to deal with, as a minimum, (1) data subject access requests and (2) detecting, reporting and investigating any data breach (and the new requirement to notify the ICO of such a breach within a strict timescale).

In terms of the data you already hold, consideration should be given to carrying out a data purge, to minimise the data that you hold. Data should be securely deleted or destroyed where you do not (or no longer) have lawful grounds for processing. Data retention periods should also be reviewed and brought in line with best practice.

In the event that you start to process a new category of personal data, or you process personal data for a different purpose, the relevant privacy notice will need to be updated to reflect this. Ideally, someone in the business should be appointed to take responsibility for this.

Overall, the strong message that comes out of GDPR is that compliance is not a destination but a continual process of improvement. It is important for businesses to keep an eye out for any updated guidance, case law and best practice that emerges in respect of data protection. We will be writing about significant developments as they arise.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.