GDPR: Data Audits

With 12 weeks to go until GDPR comes into effect, this is the first in a series of short pieces on the most important aspects of GDPR.

With 12 weeks to go until GDPR comes into effect, this is the first in a series of short pieces on the most important aspects of GDPR which employers need to be addressing in advance of 25 May 2018.

First up, Data Audits

This is the aspect which will require the most from you as employers (if you have not already done so).  However, once done, it will feed into the majority of the other tasks required to be undertaken to ensure compliance.
In short, all employers should conduct a review of all the personal data/special categories of personal data (sensitive personal data by another name) which you hold/process and look at:
1.    Why you have it?
2.    Whether you need it?
3.    What you do with that data?
4.    The type of data it is?
5.    Whether there is a lawful processing basis for retaining it under GDPR?
6.    How long you need to keep it?
7.    What measures you have in place for keeping it secure?
Under GDPR you are only to process and/or retain personal data if you have a specified lawful basis to do so (usually one of: the performance of the employment contract; to comply with a legal obligation; and/or for the purposes of legitimate interests you pursue).  If you do not have a lawful basis, you should not retain it.  If you had a lawful basis but that has expired (i.e. you no longer need it), then there are limited circumstances in which you should retain it.  By conducting the audit, you will be able to identify not only the data you do not need but, more importantly, what you do need.  You are then able to look for a lawful basis upon which you can say it continues to be processed and ensure that it is retained securely.
This process will also help you identify any problem areas and may help you to rectify problems with security, retention or processing. We are happy to advise on any potential problem-areas identified. Should any data breaches occur in the future or should you be subject to scrutiny from the Information Commissioner in relation to compliance, this exercise will be a key corner-stone to you being able to demonstrate to the ICO that you have taken positive steps to comply with the GDPR and to show that you were aware of what you needed to do, and took steps to avert risk-areas.
The above questions should be addressed as soon as possible to enable appropriate steps to be taken in advance of 25 May 2018.
Should you have any questions on any of the above (or GDPR in general) please do not hesitate to speak to your usual contact in the Weightmans employment, pensions and immigration team or contact Ross Hutchison (  This information is focussed on the GDPR challenges faced by HR and those responsible for people-issues, but if you have wider concerns about GDPR and what it might mean for your business Weightmans are also happy to help.

Share on Twitter