“Telling people what you are doing with their data is not the same as getting their consent,” says Alison Deighton, data protection lawyer at TLC.

Alison was speaking at the GDP Summit London. Traditionally, employment contracts have seen quite broad wording – ‘you consent to do all the following’ she cites, such as administrating pay and appraisals. But actually you need to distinguish between the requirement of telling people what you are doing and whether you need to get consent for that, and then how, tactically, you give those notices such that they are transparent about how you are using data. This will entail looking at the different touch points where you will be collecting data – so for job applications, there will be some initial data gathering, and for successful applicants you will probably ask for more data. And another opportunity when you sign them up to their contracts, so you need to tell them what they are doing. And then throughout the term of their employment, there might be changes in what you want to do with the data.

As for accountability, you need to show you have the right measures in place to comply with GDPR, so you need to show you have the right policies and processes in place and document them.

Another key area is training, so you need to train your staff on those processes and ensure that they understand them.

Finally there is ongoing monitoring and auditing – at this stage you need to ensure staff are actually following the procedures and policy, checking that the well laid out plans really work in practice.

It’s a lot to do and think about, to put it mildly, but imperative, all the same.

For more on GDPR check out the GDPR Report,