Employment Lawyer Highlights Key Action Points For Businesses
The General Data Protection Regulations (GDPR) will come into force on 25 May 2018. With less than six months to go there is still time to prepare but there is a lot to do by HR departments to ensure that businesses will be compliant with the new legislation.
The following steps should be taken over the coming months:
1. Data Audit
Businesses should carry out a data audit in order to identify areas where action needs to be taken to ensure compliance with GDPR. There is no set way to carry out a data audit, but businesses need to understand the staff data held within the organisation, where that data comes from and where/how it is stored, what happens to it whilst it is within the organisation and when and how it is deleted. Where any areas of non-compliance are identified, or where activities pose a risk, the business will need to formulate a plan to address them.
2. Reviewing employment contracts and policies
Under the GDPR, consent must be specific, informed and freely given, which means that individuals should have a genuine and free choice as to whether or not to consent to the processing and should be able to refuse or withdraw consent. It is very common within the UK for employers to have general “catch all” consent clauses within employee contracts or data protection policies. These will no longer be valid forms of consent and employers need to review employment contracts and policies to decide whether consent should be relied upon at all and if yes, in which form.
3. Reviewing data policies
The business’s data policy will most likely need reviewing. The updated data protection policy should set out clearly:
- What personal data is and why data protection is important
- Information about the employers collection and use of their personal data, on what basis and why this is processed
- What the data rights of employees are and how the employer will ensure that these are upheld
- How data breaches are dealt with
- The consequences, for the business and individual, of non-compliance
The written policy should also set out when and how specific categories of personal data are deleted. It should include the new “right to be forgotten”, requiring employers to delete personal data where the data is no longer necessary for the purpose in relation to which it was collected, consent has been withdrawn or if the data was processed in breach of the GDPR.
4.Data Breach
The GDPR will introduce a duty on all organisations to report any data breach within 72 hours, unless it is unlikely to result in a risk to the rights and freedoms of the individual affected. If the breach is high risk, the individual may also need to be notified.
Businesses should therefore have an internal reporting procedure in place which should include:
- guidance on what constitutes a data breach
- decision-making protocols about whether notifications are necessary, who will be responsible for such notifications and timescales
- recording systems for all breaches, including those where there was no obligation to notify the ICO
5.Staff Training
Properly trained staff can make all the difference, not only in demonstrating a business’s commitment to upholding the principles of data protection within the GDPR, but also in ensuring that staff data is properly and lawfully obtained, stored, processed and deleted and in helping to prevent any data breaches. All staff should be trained in handling data and the training must be evidenced and monitored.
By taking these important steps, businesses will be ready to embrace the GDPR in May 2018.
This article appeared in People Management on 7 December 2017.