Most small businesses will not have a requirement for a Data Protection Officer unless your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking) or your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences. If you do need a DPO they must be independent, an expert in data protection, adequately resourced, and report to the highest management level.

Under the GDPR it is a key requirement that personal data should only be retained for as long as there is a clear business need for it and it should be securely destroyed (for instance, by shredding) after that period has passed. As an employer you must be able to justify why you are keeping the data for as long as you are. 

You will as a minimum need to lay out the purpose for processing personal data and how you will hold it (including the retention periods for each type of data that you hold) This should be in the form of a Privacy Note and this should be made available to all new and existing employees.

You should regularly review the data you store for each individual and decide if it is still necessary to keep it. If you find that you are storing data that you do not need, delete it!

Employees have the ‘right to rectification’ if they believe any data you are holding about them is inaccurate but using HR software takes the administration headache away and allows employees to change their personal details themselves.

Most importantly you must ensure that you have up to date processes in place to ensure that your employee’s data is safe and secure. HR software can address some of these security issues but you must also consider any paper records you hold, the security of your building and the IT equipment that you and employees use and how this is used and stored (for example if you allow employees to transport work laptops between the office and their home) 

The easiest way to assess any risks is to carry out an assessment to identify any potential areas where security could be at risk. For example, when working from home does an employee use a personal, shared family laptop to work from? If so, do they have a separate password? 

You will also need to consider if you are sharing employee data with a 3rd party such as a payroll or HR provider. If you do you should create an agreement between both parties to set out the expectations and responsibilities of each to ensure that you don’t fall foul of the legislation.

Remember that it’s not just your existing employees that have rights under GDPR. Ex-employees can ask at any time that you delete any personal data you hold about them – this is the ‘right to be forgotten’. If the data is no longer required in relation to the purposes for which you collected it, you must comply with the request and delete the personal data.

As an employer, you’re responsible for ensuring your business stays compliant with the GDPR. This means having effective data protection policies in place, reporting any data breaches that occur and training your employees on how to comply with the guidelines. If you are reported or fail to report an incident it can be costly with fines starting from £1,000.