In our last blog we looked at the GDPR Principles and new rights that employees (data subjects) now have. In this blog we will discuss how you can establish what data you currently have and why this is so important.

Quite simply, before you can manage yOur data, you need to know what you have, where it came from, where and how you keep it, what you do with it and how long you keep it! Sounds simple enough, but you may be surprised how complex this becomes.

The first step is to create a data register – make a list of all the employee data that you keep e.g. name, address, mobile phone etc. To help make this list you can look at your new starter form, your employee file, talk to payroll, etc. Remember to include recruitment as this will also include applicants (successful or otherwise).

Once you have your list, ask yourself questions. Think about the Principles we covered in the previous blog and ask questions around these. Some questions will be:

Where does the data come from? e.g. applications may come from individuals directly or recruitment agencies. Personal data may be provided by the employee directly, references may come from past employers.

Where do you keep it? e.g. is it in paper files or electronic – or both? Is it in more than one place? e.g. a copy with a manager and a copy on the personnel file. Is it on spreadsheets, on a computerised database, with third parties e.g. payroll?

Why do you keep it? Understanding why you keep the data will help you identify a legal basis / justification for keeping data (see next blog).  For
example you will need personal details for a contract of employment and to set up a personnel file etc. You will need bank details to be able to pay the employee.

How long do you keep it? If you know how long you keep it for you can start to identify if you will need to destroy any old data.

Who has access to it? This is not just about in-house, but also looking at 3rd parties.

Once you have asked and answered some key questions, only then are you in a position to start to manage the data. For example, if you find that your personnel files are not kept in a secure filing cabinet, then you need to make sure they are! If people are copying data onto memory sticks, laptops or emailing information to their home computer, you will need to review your security (and remember that emails are not secure so this will need some consideration if you send/communicate sending personal data via email!). This may be where you need some input from IT…..

You can refer back to the principles (previous blog) as you work through what you have and ask if you meet the principles for the data you hold.

If we can be of assistance please do not hesitate to contact us on 01702 216573 or email me at

Useful links

The information commissioner – Telephone number: 0303 123 1113

GDPR (Regulation 2016/679/EU)