Implementation of the GDPR (General Data Protection Regulation) is looming as 25 May 2018, the deadline date, will soon be here. The GDPR is one of the biggest shake ups of data protection legislation for thirty years when the Data Protection Act 1998 came in. In order to protect personal data the law requires all organisations to tighten up on how they handle this from acquisition to destruction. In this article I provide tips to assist you with GDPR compliance.
1. Identify the data controller in your organisation. This should be a senior member of staff and is usually the Managing Director in a small company or with a larger organisation this can be either the Managing Director or a board member. The ICO (Information Commissioner) will need to be notified.
2. Consider appointing a Data Protection Officer. This person should deal with day to day data protection issues and be the company “fount of all knowledge” and the go to person for personal data issues. With a small company this role could be incorporated part time in an existing role. The Data Protection Officer role needs to know everything there is to know about data protection in order to give advice to colleagues. With a larger company the role could be recruited to or even appoint a consultant with data protection knowledge.
3. In order to comply with the GDPR it is essential to undertake a data protection audit as soon as possible. This could be coordinated by a project team from within the organisation or commission a consultant to undertake this potentially time-consuming task followed by the drafting of a report to highlight compliance gaps.
4. Having identified the compliance gaps gather together all the essential documentation that may be needed to comply with the law. Paperwork could include a data register, an asset register, asset management policy, updated IT policy, privacy notice, data protection officer job description, etc.
5. Review all existing documentation to see if it would stand up to scrutiny if there were a challenge to the integrity of processes. Changes may need to be made to employment contracts and staff handbooks for example.
Now the excitement of the Christmas and New Year festivities has faded it’s time to get down to business and look ahead to identify the HR trends for 2018.
One major trend is the increasing need to focus on data protection. In May 2018 there will be major shake up of data protection laws which have existed in the UK since 1984 designed to protect employees and consumers in how their personal information is held and managed by organisations. Organisations will need to undertake an audit of data protection procedures across departments to ensure personal information is handled in accordance with the new laws. An audit should methodically identify what data is held and why, who manages the data, what procedures are followed,and what needs to be altered to ensure compliance with the law. Subject access requests must now be handled within one month and without charging a fee. Employees and potential new employees must be informed as to the exact reasons why their personal data will be processed. Organisations need to draw up a privacy notice that should indicate what and how personal information will be managed. To be honest data protection isn’t the most exciting area of HR but unfortunately if companies don’t comply the consequences could be huge fines. To find out more there is a wealth of information on the Information Commission website https://ico.org.uk/
Following the success of Unison in the Supreme Court in July 2017 employment tribunal fees have been abolished. The fees were introduced in July 2013 and meant that if an employee wanted to take their employer to an employment tribunal for unfair dismissal they had to find £1200 which is a hefty sum if you have just lost your job. The Supreme Court decided that the fees were unfair and were a barrier to justice. Anyone who paid employment tribunal fees since 2013 is entitled to apply for a refund.
The statistics from 2013 – https://www.gov.uk/government/collections/tribunals-statistics – showed a dramatic reduction in the number of employment tribunal claims being lodged which was the main intention of the Conservative government. Since the abolition of the fees there has been a noticeable increase in the number of claims being lodged although at the moment they have not reached anywhere near the level in 2013 before the fee introduction. However, give it time. There remain a lot of unscrupulous employers out there who fail to treat their employees well. It now costs nothing to lodge a claim so during 2018 we could well see the trend in the number of claims rising.
The latest unemployment figures show the rate is 4.6% which means there is very little wriggle room for employers to find new staff. The skills shortage and therefore this trend in the UK will continue and may get worse. This is a phenomenon that has been around for quite a while in the UK with many industry sectors suffering and competing for staff. The skills shortage may get worse in some industry sectors with Brexit causing an impetus of skilled staff returning to their homes elsewhere in Europe.
On 25 May 2018 the General Data Protection Regulation (GDPR) comes into force and will replace the Data Protection Act 1998. It is designed to give tighter security to personal information. Data controllers and data processers are responsible for ensuring personal data is held securely. For organisations that breach the GDPR the fines are potentially huge – potentially running into millions of pounds – a fine of up to £10 million or 2% of turnover. The data controller carries the heaviest burden whilst data processors need to ensure that data is held confidentially and compliantly and security problems are addressed.
There are six processing principles – lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality.
So how can HR prepare an organisation for this onerous responsibility?
The first step would be to undertake a data protection audit. Depending on the size of the organisation it might be a good idea to create a project team from across different departments. For smaller organisations a team of at least two is ideal. The audit will then need to identify the data tjat is collected along with the purpose, identify the legal basis you are seeking to rely on, review data collection, storage, retrieval and record keeping, review service providers and data processors (including third party outsourced partners) and analyse risk from any compliance gaps. The organisation should then update or implement relevant HR policies such as data protection, recruitment, IT, disciplinary, whistleblowing, data subject access requests and privacy notices.
As many private sector organisations may not currently have a privacy notice in place it is essential to develop one that give information to employees on what and how their data will be processed. the privacy notice needs to also detail their rights and obligations clearly identify the Data Controller (usually the CEO) and what to do in the event of discovering a data protection breach. A detailed privacy notice could be issued along with an employment contract or become part of a staff handbook.
Given the seriousness of this forthcoming law and the implications for non-compliance, it might be a good idea to implement training in GDPR across the workforce.
If you would like assistance with a GDPR audit and GDPR toolkit then we can help. Give us a call on 07762 771290.