Introduction to this document

GDPR employee data processing checklist

Our checklist sets out the various tasks you’ll need to undertake to ensure UK GDPR compliance. Whilst some involve producing documents, others are geared towards checking your current processing operations and the security of your systems and training your staff.

Compliance checklist

Compliance with the UK GDPR is not all about putting new and amended documentation in place. That’s only one part of your compliance programme. Another part involves making active changes to your data processing operations on the ground to ensure they sufficiently protect personal data, e.g. making changes to your cyber security practices and having processes in place to monitor staff compliance with your data protection and security policies. You’ll also need to implement a UK GDPR awareness training programme for all your staff. Our GDPR Employee Data Processing Checklist will assist with your compliance programme.


Our checklist covers the following aspects of your compliance programme:

  • conducting an employee personal data audit, constructing a data map, cleansing databases and checking the accuracy of current personal data
  • appointing someone to be responsible for data protection compliance
  • compiling a record of your data processing activities
  • reviewing current IT systems and processes and deploying encryption technology
  • identifying and documenting your lawful basis for processing each category of personal data, ensuring you only use consent as a lawful basis in specific circumstances and reviewing standalone consent forms
  • rewriting and issuing privacy notices, reviewing and updating employment contracts and any affected policies in your staff handbook and putting in place a data protection policy
  • putting in place processes to respond to data subject access requests and employees who exercise any of their other UK GDPR rights
  • implementing policies and processes covering data retention and destruction
  • integrating data protection by design and default into your processing activities and producing a data protection impact assessment
  • reviewing and updating any commercial contracts with third-party service providers
  • developing a data breach policy and response plan
  • providing staff training and implementing regular reviews and testing your systems to assess ongoing compliance.