You cannot have escaped the fact that our data protection laws are changing, and that the EU’s General Data Protection Regulation (GDPR) will be implemented into UK law on 25 May 2018.
All employers will be legally obliged to comply with the new stricter GDPR requirements and, as with the current data protection regime, a failure to comply can lead to possible fines, claims and reputational damage.
Under the new rules employers will be required to demonstrate data protection compliance by documenting their data handling procedures. To assist your organisation in preparing for this change and the other challenges posed by the GDPR in advance of 25 May 2018, here are ten steps your organisation should take towards data protection compliance:
1. Build and maintain a data governance system
- Establish a leadership team responsible for GDPR implementation.
- Check the resources available within the business to support implementation.
- Where appropriate appoint a Data Protection Officer. This is a mandatory requirement if you are a public authority or if your core activities consist of:
- processing operations which by virtue of their nature, scope or purpose require regular and systematic monitoring of data subjects on a large scale; or
- processing special categories of personal data on a large scale.
2. Conduct an HR data audit
- Compile a table setting out the categories of data you process (e.g. recruitment or payroll).
- For each category of data, document what personal data you hold, why you hold it, where it came from, who you share it with, where you hold it and how and when the data is disposed of.
3. Establish a lawful basis for data processing and document it
- Consider the lawful basis for each processing activity you undertake and document it (e.g. for transferring an employee’s data to HMRC for tax purposes you would rely on it being necessary to comply with a legal obligation).
- You should review the situations where you rely on consent as a lawful ground for processing data. Generally, consent should not be used for processing employee data (and another lawful basis considered).
4. Review and update employment contracts and policies
- Review your employment contracts and update data protection provisions.
- Review or implement your data protection policy (also known as a ‘privacy standard’).
- Review or consider implementing data retention policies, IT/security policies and subject access request documents.
- Also consider your disciplinary policy, and ensure that breaching data protection rules is listed as potential gross misconduct.
5. Data subjects’ rights
- Configure systems and put in place processes to accommodate data subjects’ rights, including access to data, rights to rectification and erasure of data, portability, objection to automated processing and revocation of consent.
- A summary of data subjects’ rights should be included in your data protection policy (privacy standard).
6. Prepare privacy notices.
- Review your privacy notices and ensure that they contain the relevant information about processing activities required under the GDPR (Article 13).
- Privacy notices should inform employees (and applicants for employment) about what data the employer holds, how it is used and for what purposes.
- The information should be prepared using concise, easy to understand and clear language.
7. Prepare privacy impact assessments
- These need to be undertaken when processing will pose a particular risk to data subjects, for example as a result of new technologies. They are also mandatory in the following circumstances:
- Any systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- Processing on a large scale of special categories of personal data or of personal data relating to criminal convictions and offences; or
- Any systematic monitoring of a publicly accessible area on a large scale.
- Be aware of when privacy impact assessments are required and ensure that you have procedures in place for these to be undertaken and documented.
8. Prepare for security breach response and notification.
- Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Set up an internal records register to record breaches and any remedial action taken.
- Establish systems and channels for communicating with your data protection authority.
9. Data processors
- Identify all current processing arrangements (eg. external payroll providers) and put those processors on notice that contract terms will need to be amended in line with the GDPR.
- Prepare new template contracts.
- Ensure all existing contracts are updated prior to 25 May 2018.
- Consider a training programme for all staff to raise awareness of the GDPR and assist in achieving and demonstrating compliance.