With only 3 months to go until the General Data Protection Regulations becomes applicable, the data protection compliance clock is ticking so now is the time to make sure that your organisation is prepared – and to find out how Boyes Turner can get you GDPR ready.
What is “GDPR” and will it apply to our organisation?
“GDPR” stands for the General Data Protection Regulation – EU legislation setting out this new legal framework. The GDPR represents a significant overhaul of the UK’s current data protection law. GDPR applies to all organisations that process the personal data of EU citizens (data subjects). Personal data must relate to a natural and identifiable person. If your organisation holds, uses or processes personal data about UK or EU citizens – which includes employees, workers, customers or clients and members of the public - then the answer is “yes”, GDPR applies to you.
GDPR and Brexit?
Once we leave the EU, the Data Protection Bill will be enacted in the UK to broadly implement the requirements under the GDPR. So, if you are wondering whether your organisation will need to comply with GDPR standards after Brexit, the short answer is again “yes”.
Data Protection Principles
“Accountability” is a key principle enshrined in the GDPR framework. Whilst this principle has been implicit in the current regime, its significance is elevated as an express requirement under the new framework. Accountability means that your organisation needs to be able to demonstrate compliance with GDPR. Depending on how big your organisation is and/or what it does with personal data it might be subject to:
- rules relating to data processing impact assessments;
- record keeping obligations; and
- a need to have a designated Data Protection Officer responsible for championing data protection within your organisation.
Other processing principles include processing data in a lawful and transparent way, collecting and processing data for a legitimate purpose only, ensuring data is accurate and up to date and also storage limitation, ensuring that data is stored for no longer than is necessary.
Getting GDPR employment data ready – the HR to do list
So what steps should organisations be taking NOW…
1. Spring clean data – and keep it secure!
Now is a good time to remove personal data that is no longer required, wrong or out of date. If you hold inaccurate data and have shared this with another organisation, you will have to notify the other organisation about the inaccuracy so it can correct its own records. An audit of personal data held may be required to decide what needs to be kept. Moving forwards, mechanisms should be put in place for periodic reviews. In particular, when conducting audits, think about and document:
- What personal data you hold?
- Where did it come from?
- Who have you shared it with?
- Why do you need it?
You should also be thinking about whether you have the technology and systems in place to comply with the GDPR. Many of you may have heard the expression “privacy by design and by default” in relation to GDPR. How safe is the data you hold? Also, is data organised in such a way that it can be easily retrieved or identified? If you use a third party data processor such as a payroll provider, have you renegotiated your commercial terms of take account of GDPR obligations?
2. What’s your processing justification – can you still use consent?
Many of you will still be using blanket consent clauses in your standard contracts of employment to justify data processing. The justification for data processing is known as the “lawful basis”. In the GDPR era, consent is going to become more problematic for employers to use as justification for the processing of employee data. This is because consent has to be clear, explicit, informed and freely given – which is not the case when it is buried away in an employment contract. Also, consent can be revoked – not great when you need to process personal data to pay your employee!
So, what is going to be your lawful basis? There are some listed in the GDPR which do help employers – do you know what these are? You need to tell data subjects what your lawful basis is in your Privacy Notice (see below), plus, you will need to update your employment contracts and policies.
3. Privacy Notices
Privacy Notices need to be provided to individuals before or at the time of data collection to inform the individual of processing activities undertaken by the data controller (i.e. the organisation collecting the personal data). In the employment context, employers will usually issue a Privacy Notice at the recruitment stage as well as provide other details during employment to explain what data is held, why and for how long. One Privacy Notice does not cover all data uses. Your organisation will need a Privacy Notice dealing with employee data.
4. Update contracts and policies
Relevant contracts and policies should be updated to meet GDPR requirements (particularly, compliance with its Principles). Additionally, your policies should deal with individual rights under the GDPR regime such as subject access requests. Many individual rights under the current regime are carried into the GDPR but there are also some enhancements.
Can your organisation practically deal with these rights, if required? Have you reviewed relevant policies, such as Data Protection or IT policies? Now is the ideal time to dust of the cobwebs and give these a thorough refresh.
5. Train your staff
Policies are pointless if you do not train your staff to them. Training programmes should be put in place for managers and staff handling data. These should also cover things such as reporting potential breaches (within 72 hours of awareness hours under the GDPR). Do staff understand their responsibilities? Is there a central point of contact, such as a Data Protection Officer, to which enquiries can be directed to? Training will be even more important under the new regime, with fines for non-compliance increasing from the current maximum of £500,000 to up to $20 million or 4% of global turnover.