With only 3 months to go until the General Data Protection Regulation becomes applicable, the data protection compliance clock is ticking so now is the time to make sure that your organisation is prepared – and to find out how Boyes Turner can get you GDPR ready.
What is “GDPR” and will it apply to our organisation?
“GDPR” stands for the General Data Protection Regulation – EU legislation setting out this new legal framework. The GDPR represents a significant overhaul of the UK’s current data protection law. GDPR applies to all organisations that process the personal data of EU citizens (data subjects). Personal data must relate to a natural and identifiable person. If your organisation holds, uses or processes personal data about UK or EU citizens – which includes employees, workers, customers or clients and members of the public - then the answer is “yes”, GDPR applies to you.
GDPR and Brexit?
Once we leave the EU, the Data Protection Bill will be enacted in the UK to broadly implement the requirements under the GDPR. So, if you are wondering whether your organisation will need to comply with GDPR standards after Brexit, the short answer is again “yes”.
Data Protection Principles
“Accountability” is a key principle enshrined in the GDPR framework. Whilst this principle has been implicit in the current regime, its significance is elevated as an express requirement under the new framework. Accountability means that your organisation needs to be able to demonstrate compliance with GDPR. Depending on how big your organisation is and/or what it does with personal data it might be subject to:
- rules relating to data processing impact assessments;
- record keeping obligations; and
- a need to have a designated Data Protection Officer responsible for championing data protection within your organisation.
Other processing principles include processing data in a lawful and transparent way, collecting and processing data for a legitimate purpose only, ensuring data is accurate and up to date and also storage limitation, ensuring that data is stored for no longer than is necessary.
Getting GDPR employment data ready – the HR to do list
So what steps should organisations be taking NOW…
1. Spring clean data – and keep it secure!
Now is a good time to remove personal data that is no longer required, wrong or out of date. If you hold inaccurate data and have shared this with another organisation, you will have to notify the other organisation about the inaccuracy so it can correct its own records. An audit of personal data held may be required to decide what needs to be kept. Moving forwards, mechanisms should be put in place for periodic reviews. In particular, when conducting audits, think about and document:
- What personal data you hold?
- Where did it come from?
- Who have you shared it with?
- Why do you need it?
You should also be thinking about whether you have the technology and systems in place to comply with the GDPR. Many of you may have heard the expression “privacy by design and by default” in relation to GDPR. How safe is the data you hold? Also, is data organised in such a way that it can be easily retrieved or identified? If you use a third party data processor such as a payroll provider, have you renegotiated your commercial terms of take account of GDPR obligations?
2. What’s your processing justification – can you still use consent?
Many of you will still be using blanket consent clauses in your standard contracts of employment to justify data processing. The justification for data processing is known as the “lawful basis”. In the GDPR era, consent is going to become more problematic for employers to use as justification for the processing of employee data. This is because consent has to be clear, explicit, informed and freely given – which is not the case when it is buried away in an employment contract. Also, consent can be revoked – not great when you need to process personal data to pay your employee!
So, what is going to be your lawful basis? There are some listed in the GDPR which do help employers – do you know what these are? You need to tell data subjects what your lawful basis is in your Privacy Notice (see below), plus, you will need to update your employment contracts and policies.
3. Privacy Notices
Privacy Notices need to be provided to individuals before or at the time of data collection to inform the individual of processing activities undertaken by the data controller (i.e. the organisation collecting the personal data). In the employment context, employers will usually issue a Privacy Notice at the recruitment stage as well as provide other details during employment to explain what data is held, why and for how long. One Privacy Notice does not cover all data uses. Your organisation will need a Privacy Notice dealing with employee data.
4. Update contracts and policies
Relevant contracts and policies should be updated to meet GDPR requirements (particularly, compliance with its Principles). Additionally, your policies should deal with individual rights under the GDPR regime such as subject access requests. Many individual rights under the current regime are carried into the GDPR but there are also some enhancements.
Can your organisation practically deal with these rights, if required? Have you reviewed relevant policies, such as Data Protection or IT policies? Now is the ideal time to dust of the cobwebs and give these a thorough refresh.
5. Train your staff
Policies are pointless if you do not train your staff to them. Training programmes should be put in place for managers and staff handling data. These should also cover things such as reporting potential breaches (within 72 hours of awareness hours under the GDPR). Do staff understand their responsibilities? Is there a central point of contact, such as a Data Protection Officer, to which enquiries can be directed to? Training will be even more important under the new regime, with fines for non-compliance increasing from the current maximum of £500,000 to up to $20 million or 4% of global turnover.
How can Boyes Turner get you GDPR ready?
It might seem daunting and many of your might not have started thinking about what changes are necessary. Don’t worry – you are not alone! We can help your organisation get GDPR ready – be it in relation to employment-related data or commercial client information. This is how:-
Training and awareness – we are training clients and wider employee populations on the implications of GDPR. Be it face to face update sessions or eLearning modules, we have the training to suit you. There are potential directors liabilities being introduced under the Data Protection Bill so there is a real need for boards to know about these changes.
Contracts, policies and Privacy Notices – we have produced an Employment Data Protection Toolkit with a suite of GDPR ready documents. Sounds simple… it is! For information about our Toolkit, email us.
- Training workshops – our colleagues in our Commercial Team are running a GDPR workshop on 6 March 2018. Here
- Third party processors – we are negotiating terms with third party processors to ensure they are compliant. Can we do this for your organisation?
- Risk analysis and data audits – let us find out where your data protection risks are.
- Ad hoc support and advice – let us answer your GDPR questions.
If you need any assistance with getting ready for the 25 May, please do not hesitate to contact Boyes Turner’s Employment team on 0118 952 7284 or email [email protected]. Don’t leave it too late.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.