identify all existing data systems and personal data processing, including that carried out by external providers (e.g. payroll). Consider using an Information Asset Register as a way to record the categories of data held, location and who it is shared with
identify the purposes for which such data is processed and the legal basis for processing under the GDPR
assess what automated decision-making (if any) you carry out and ensure that it is not solely automated
ensure that systems are adequate so that employee data is kept secure, is updated and deleted when appropriate, and can be deleted or rectified on receipt of an employee request
note new timeframes (“without delay” and within one month with potential extension for complex/numerous requests) for responding to Data Subject Access Requests and update internal procedures accordingly.