On 25 May 2018 the General Data Protection Regulation (GDPR) comes into force and will replace the Data Protection Act 1998. It is designed to give tighter security to personal information. Data controllers and data processers are responsible for ensuring personal data is held securely. For organisations that breach the GDPR the fines are potentially huge – potentially running into millions of pounds – a fine of up to £10 million or 2% of turnover. The data controller carries the heaviest burden whilst data processors need to ensure that data is held confidentially and compliantly and security problems are addressed.
There are six processing principles – lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality.
So how can HR prepare an organisation for this onerous responsibility?
The first step would be to undertake a data protection audit. Depending on the size of the organisation it might be a good idea to create a project team from across different departments. For smaller organisations a team of at least two is ideal. The audit will then need to identify the data tjat is collected along with the purpose, identify the legal basis you are seeking to rely on, review data collection, storage, retrieval and record keeping, review service providers and data processors (including third party outsourced partners) and analyse risk from any compliance gaps. The organisation should then update or implement relevant HR policies such as data protection, recruitment, IT, disciplinary, whistleblowing, data subject access requests and privacy notices.
As many private sector organisations may not currently have a privacy notice in place it is essential to develop one that give information to employees on what and how their data will be processed. the privacy notice needs to also detail their rights and obligations clearly identify the Data Controller (usually the CEO) and what to do in the event of discovering a data protection breach. A detailed privacy notice could be issued along with an employment contract or become part of a staff handbook.
Given the seriousness of this forthcoming law and the implications for non-compliance, it might be a good idea to implement training in GDPR across the workforce.