General Data Protection Regulations 2018
The General Data Protection Regulation came into force on 25th May 2018, are you compliant?
If you are not sure, Paisley Leaf HR offer a free HR Healthcheck which also covers GDPR compliance.
We have put together a 5 stage guide below to help you decide if you are compliant or not, however, remember Paisley Leaf HR can help at each step. Contact us.
1. Data audit
You should carry out a data audit to identify areas where action needs to be taken to ensure compliance with the General Data Protection Regulation (GDPR).
The audit should ensure that you understand within your Company: -
a) What personal data is held within the business,
b) where that data comes from and where/how it is stored,
c) what happens to it while it is within the business and when and how it is deleted.
Where any areas of non-compliance are identified, or where activities pose a risk, the business will need to formulate a plan to address them.
2. Reviewing employment contracts and policies
Under the GDPR, consent must be specific, informed and freely given, which means individuals should have a genuine and free choice as to whether or not to consent to the processing and should be able to refuse or withdraw consent.
For customer data this may mean reviewing and updating consents before May 2018.
In employment terms – it means reviewing current practice. It is very common within the UK for employers to have general ‘catch all’ consent clauses within employee contracts or data protection policies. These will no longer be valid forms of consent and thus you will need review your employment contracts and policies to decide whether consent should be relied upon at all.
The Information Commissioners Office has indicated that consent should not be used as a legal reason for processing personal data in respect of employment relationships in the UK.
3. Reviewing data policies
Your company’s data policy will most likely need reviewing. The updated data protection policy should set out clearly:
what personal data is and why data protection is important;
information about the company’s collection and use of personal data: on what basis and why this is processed;
what the data rights of individuals are and how the Compnay will ensure these are upheld;
how data breaches are dealt with; and
the consequences, for the company and individuals, of non-compliance.
The written policy should also set out when and how specific categories of personal data are deleted. It should include the new ‘right to be forgotten’, requiring the company to delete personal data where the data is no longer necessary for the purpose in relation to which it was collected, consent has been withdrawn or if the data was processed in breach of the GDPR.
4. Data breach
The GDPR will introduce a duty on all organisations to report any data breach within 72 hours, unless it is unlikely to result in a risk to the rights and freedoms of the individual affected. If the breach is high risk, the individual may also need to be notified.
Company’s should therefore have an internal reporting procedure in place, which should include:
guidance on what constitutes a data breach;
decision-making protocols about whether notifications are necessary, who will be responsible for such notifications and timescales; and
recording systems for all breaches, including those
where there was no obligation to notify the ICO.
5. Staff training
Ensuring that your staff are properly trained can make all the difference, not only in demonstrating your company’s commitment to upholding the principles of data protection within the GDPR, but also in ensuring that personal data is properly and lawfully obtained, stored, processed and deleted, and in helping to prevent any data breaches. All staff should be trained in handling data and the training must be evidenced and monitored.
By taking these important steps, your Company will be GDPR compliant.
If you need help with the above steps, call Paisley Leaf HR for guidance and support.