Complying with the GDPR is anything but a box ticking exercise, however much of what’s required by the new regulation is an evolution, not a revolution. Individuals already have many rights under the current Data Protection Act, but the difference is that organisations will have to, not only be compliant, but demonstrate and document compliance. With only three months to go, this is no easy task.


The truth is that organisations wishing to demonstrate compliance will have to commit time and resource to the GDPR. Organisations will need to demonstrate adequate data protection policies, codes of conduct and the implementation of suitable processes. The GDPR is an opportunity for organisations to reassess their processes, increase transparency and develop more meaningful relationships with staff, customers and suppliers alike.

Compliance with the GDPR goes beyond simply redrafting generic data protection policies, it’s about asking the bigger questions – how does the organisation wish to communicate with employees? What information is it asking for? Who has access to it and why? What information does it need to retain and for how long?

A lot of the GDPR comes down to good governance, yet, many organisations may have become complacent about data protection. Moving forward, businesses must be prepared to invest time and money into changing the culture and mindset to ensure that, across the organisation, employees are aware of the importance of dealing sensitively and appropriately with personal data.

From an HR perspective, departments should be carrying out data audits to identify what data they are processing relating to employees and staff; what information are they receiving, from where and what they do with it. Once organisations are aware of their current processes they can use this information to identify where changes need to be made and the practical approaches that need to be implemented to ensure compliance with the GDPR. Communicating and giving training to staff in respect of any changes in procedure will be key.

A further impact for HR teams is around Subject Access Requests. We are already seeing an increase in employees using the existing Data Protection Act to access their personal data. This will undoubtedly become more prevalent after the introduction of the GDPR as individuals become more aware of their rights. Generally, we find that the responsibility for dealing with such requests rests lies with HR departments – unless organisations are large enough to have specialist information governance teams – inevitably adding to HR workloads.

Andrew Hartshorn, partner in the information law team and Lara Feghali, associate in the employment team at Shakespeare Martineau.

Continue your journey to compliance. Find out more at the Roadmap for Sales and Marketing, 8th March in central London.

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at http://www.gdprsummit.london/