What is the GDPR?

The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and replaces the current Data Protection Act 1998 (DPA).

Why do you need to take action?

Under the DPA, organisations were thought to be compliant until there was a data breach. Under the GDPR, this is no longer the case; you need to have evidence that you are compliant from the start. This means that you need to have documents and processes in place to demonstrate you are following the regulations and ensuring the safeguarding of the data that you hold.

What you need to do now

  1. Appoint a member of your organisation as a data controller and ensure that you are registered with the Information Commissioner’s Office (ICO). As well as dealing with the data relating to their customers and other organisations, employers need to have regard to personal information collected from those who work for them.

  2. Personal data, of employees or other persons, may only be kept for a legitimate purpose. It must also be relevant and limited to what is necessary and must be accurate and kept up to date. Here is an Access to Employee Data — GDPR Policy that you should circulate in your organisation.

  3. Update your Data Protection — GDPR Policy which confirms that your organisation endorses fully and adheres to the six principles of data protection, as set out in the Article 5 of the GDPR.

  4. Compile a GDPR information asset register for employee data held by your organisation.

  5. Issue each employee with a GDPR Privacy Notice or post it on the staff notice board or intranet to confirm to employees and other parties that you are taking your obligations under the GDPR seriously.

  6. In order to be able to process employee data under the GDPR you should make a legitimate interests assessment for each employee. Documentation and advice on completing this assessment can be found here Use of employee data and Legitimate Interests Assessment.

  7. Download this GDPR factsheet to check and demonstrate your compliance with the GDPR.

    Employer Factsheet: General Data Protection Regulation — GDPR

  8. Ensure that your employees are fully aware of their rights and duties under the new legislation by sharing this factsheet with them:

    Employee Factsheet: General Data Protection Regulation — GDPR

  9. Indicate how your organisation intends to meet its responsibilities by adapting this template to suit the individual needs of your organisation showing that you are preparing for the GDPR. This template is not a legal document but an indication of how an organisation intends to meet its responsibilities under the GDPR and can be displayed on your website:

    GDPR Compliance Statement

  10. Train your staff about the GDPR using this General Data Protection Regulation — Staff Awareness Training Presentation.


Recent events have brought the GDPR back on to the agenda as the implications of how organisations are going to be expected to deal with the current Covid-19 pandemic have become apparent. The Government requires businesses to support the NHS Test and Trace service by keeping a temporary record of customers and visitors for 21 days.

Detailed advice

Comprehensive advice on how to manage the GDPR can now be found in the Data Protection topic.

Summary advice

These feature articles give a summary overview of the GDPR.

General Data Protection Regulation

The General Data Protection Regulation update

Last reviewed 26 August 2020