February

GDPR compliance is fast approaching, and despite UK firms' general optimism, guidance on how to approach the regulations may not be released until next April.

The Article 29 Working Party announced that it has only just begun its consultation on GDPR, which closes on January 27, 2018. The UK Information Commissioner 's Office (ICO) had originally pledged to publish consent guidance for GDPR in June 2017, but it was delayed, as well. At the time ICO claimed that it was waiting for the Article 29 Working Part, which involved one member from each EU member state, to release its consent guidance. In order to ensure smooth compliance, several industry associations have urged the Government and ICO to align itself as closely as possible with the EU on data protection policy.

Almost half (47%) of UK office workers don 't know whether their company is taking action to comply with the new European General Data Protection Regulation (GDPR), according to research from Fellowes. However, with the regulation intending to enhance individual's rights over their data, employers may want to consider how to manage GDPR in respect to employee data.

GDPR requires that all employers are data controllers of employee personal data, which will require significant changes to the way HR manages information. According to Fellowes, employers should also set up an internal process for their employees to raise requests, and for the HR department to have the opportunity to reply.

Any company that extrapolates data - whether it 's from customers, partners or employees - will need to identify legal grounds for processing that data, under the incoming General Data Protection Regulation (GDPR).

HR departments are often flagged as a high risk to the business in GDPR audits, according to Matthew Holman, Principal at EMW LAW, and must consider all avenues when processing employee data. He adds that gone are the days of HR simply relying on a standard clause buried deep within an employment contract whereby the employee gives blanket consent to the processing of their personal and sensitive data.

HR teams should consider whether they can document a good justification that will stand the test of scrutiny, including what sort of personal data is involved, how many employees are affected, whether employees are likely to be surprised or upset about the processing if they were to find out about it, and more.