Implementation of the GDPR (General Data Protection Regulation) is looming as 25 May 2018, the deadline date, will soon be here. The GDPR is one of the biggest shake ups of data protection legislation for thirty years when the Data Protection Act 1998 came in. In order to protect personal data the law requires all organisations to tighten up on how they handle this from acquisition to destruction. In this article I provide tips to assist you with GDPR compliance.
1. Identify the data controller in your organisation. This should be a senior member of staff and is usually the Managing Director in a small company or with a larger organisation this can be either the Managing Director or a board member. The ICO (Information Commissioner) will need to be notified.
2. Consider appointing a Data Protection Officer. This person should deal with day to day data protection issues and be the company “fount of all knowledge” and the go to person for personal data issues. With a small company this role could be incorporated part time in an existing role. The Data Protection Officer role needs to know everything there is to know about data protection in order to give advice to colleagues. With a larger company the role could be recruited to or even appoint a consultant with data protection knowledge.
3. In order to comply with the GDPR it is essential to undertake a data protection audit as soon as possible. This could be coordinated by a project team from within the organisation or commission a consultant to undertake this potentially time-consuming task followed by the drafting of a report to highlight compliance gaps.
4. Having identified the compliance gaps gather together all the essential documentation that may be needed to comply with the law. Paperwork could include a data register, an asset register, asset management policy, updated IT policy, privacy notice, data protection officer job description, etc.
5. Review all existing documentation to see if it would stand up to scrutiny if there were a challenge to the integrity of processes. Changes may need to be made to employment contracts and staff handbooks for example.
On 25 May 2018 the General Data Protection Regulation (GDPR) comes into force and will replace the Data Protection Act 1998. It is designed to give tighter security to personal information. Data controllers and data processers are responsible for ensuring personal data is held securely. For organisations that breach the GDPR the fines are potentially huge – potentially running into millions of pounds – a fine of up to £10 million or 2% of turnover. The data controller carries the heaviest burden whilst data processors need to ensure that data is held confidentially and compliantly and security problems are addressed.
There are six processing principles – lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality.
So how can HR prepare an organisation for this onerous responsibility?
The first step would be to undertake a data protection audit. Depending on the size of the organisation it might be a good idea to create a project team from across different departments. For smaller organisations a team of at least two is ideal. The audit will then need to identify the data tjat is collected along with the purpose, identify the legal basis you are seeking to rely on, review data collection, storage, retrieval and record keeping, review service providers and data processors (including third party outsourced partners) and analyse risk from any compliance gaps. The organisation should then update or implement relevant HR policies such as data protection, recruitment, IT, disciplinary, whistleblowing, data subject access requests and privacy notices.
As many private sector organisations may not currently have a privacy notice in place it is essential to develop one that give information to employees on what and how their data will be processed. the privacy notice needs to also detail their rights and obligations clearly identify the Data Controller (usually the CEO) and what to do in the event of discovering a data protection breach. A detailed privacy notice could be issued along with an employment contract or become part of a staff handbook.
Given the seriousness of this forthcoming law and the implications for non-compliance, it might be a good idea to implement training in GDPR across the workforce.
If you would like assistance with a GDPR audit and GDPR toolkit then we can help. Give us a call on 07762 771290.