So (briefly) what is GDPR?
The General Data Protection Regulation (GDPR) aims to bring about a culture shift, changing the focus from regulating data processing activities (under the old Data Protection Act) to improving data security for more routine matters. GDPR requires ‘privacy by design’, meaning Companies will need to take an approach that promotes privacy and data protection compliance, rather than this being something that is considered as an afterthought or ignored altogether. The GDPR’s data protection principles are similar to the ones under the Data Protection Act and Companies must be able to demonstrate that any personal data they handle is: |
|
- processed lawfully, fairly and transparently
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up to date where necessary
- kept for no longer than is necessary where data subjects are identifiable
- processed securely and protected against accidental loss, destruction or damage.
So recruitment processes, performance management & bonus schemes, disciplinary and grievance procedures and any auto-processing, or use of employee data for marketing purposes, will need to reflect the new data protection principles.
There will also a requirement for greater transparency on Companies who will need to provide more information on what data they hold and what they do with that data, both for those inside the organisation, such as employees, and those outside it, such as customers or clients.
Companies will need to be able to demonstrate their compliance to the regulators (the Information Commissioner's Office in the UK) on an ongoing basis and to maintain relevant records and individuals will have significantly increased rights to access their personal data. Companies will also be required to notify the ICO, and any individuals affected, if certain types of data breaches occur.
The most significant change for employers is the increased fines as breaches of GDPR may be subject to fines of up to €20M, or 4% of global annual turnover, whichever is the greater.
From an HR point of view, obtaining consent from employees to process their personal data will become much stricter and employers are unlikely to be able to rely on this consent for processing employees’ data. So the new requirements means that generic consents, for example, in an employment contract will not be a valid way to justify processing employee personal data and new systems and paperwork will be needed.
So what do you need to do?
- Carry out an audit to identify any data protection risk areas with a view to creating a data protection by design and default culture.
- From the audit prepare an action plan that specifies what needs to be done when, who will do what and any internal and external support required.
- Consider what documentation must be prepared or updated
- Review policies, processes and documentation and decide which need to be changed
- Carry out some employee training to reinforce the changes
- Consider what needs to be shown to whom to demonstrate compliance.
- Appoint a data protection officer to be in charge of all aspects of information including compliance with the Data Protection Act 1998.
In2HR audit
I have compiled a GDPR audit to undertake with clients which looks at the following:
- what personal and sensitive personal data you obtain from employees. This could be as simple as payroll information that is sent to your pension provider or less obviously, data that is collected from vehicle tracking systems which is then analysed internally
- how and where that data is stored, accessed and used, and the legal basis the Company has for collecting, storing and processing each piece of data it holds
- what data is shared with third parties including any data transfer out of the EEA
- what kind of monitoring of employees takes place and where, including the use of automated decision making
Get in touch if you want my help to get started or have any questions about data you collect and whether it is covered under GDPR.
|