There is still plenty of time to be ready for the GDPR. Here are 10 practical steps to take now…
Step 1 – Raise awareness and get buy-in from the top. Planning takes time and money. You need buy-in from the top, so you have the necessary resources to be on track for the new laws come into force. Its also important to understand who is responsible for delivering GDPR compliance in your business. You are likely to need assistance from the IT department to finalise any data security or privacy notices. If you are behind on her planning don’t worry, keep going. The ICO is likely to be much tougher on businesses that have done nothing to get ready for the GDPR than those who have taken steps and are still refining plans.
Step 2 – Complete a data audit. You need to work out what personal data you currently control and/or process and where exactly that data goes and what is done with it. You should have clear answers to at least the following questions: How is it collected? What happens to the information after you have collected it? Is it disposed of after a decision has been made or is it held in your systems or in the employee’s file? How secure is the data? Would you be able to detect a security breach? How and when is data disposed of?
Step 3 – Analyse the reasons that particular data is obtained currently. For example, do you currently collect and hold data for payroll purposes? Is it held for contacting family in an emergency? Or for carrying out your contracts or in case of legal action? Let’s take sickness records for the purposes of recording sick leave and giving sick pay. How long do you hold that data for? Do you have a system for deleting the data at say the end of the year? Does the reason you hold data change if you have been notified of an employee’s disability to comply with your duty to make reasonable adjustments? Are you relying on a blanket consent hidden in an employment contract or other documents and is it still relevant? You should go through a careful thought process for each category of data.
Step 4 – Consider which legal basis you will rely on for processing and remember the data protection principles. Which of the reasons will you rely on to process the data now? It is now very risky to rely on consent for most things. Remember the grounds to rely on are: consent of the data subject; necessary for the performance of a contract with the data subject; necessary for compliance with a legal obligation; necessary to protect vital interests of a data subject or someone else; if it is in the public’s interest; or if it is necessary for the purposes of legitimate interests.
Step 5 – Review and update your employment contracts and policies. You will no longer be able to rely on standard blanket consents in an employment contract and they should be removed. This will be easy enough for new staff but remember for existing staff you may need to consider undertaking a consultation process. They may include informing staff that as an employer you will no longer be relying on consent in their contract and will be relying on one of the other grounds, which you need to specify. You will also need to update any staff handbook and put in place new employment policies. At the very least you will need a new data protection policy or privacy notice which guides staff in how to comply with the GDPR. These policies will form important evidence of your compliance.
Step 6 – Check and update your internal processes. You need to allocate someone the responsibility to make sure all of the necessary processes are in place in relation to how you collect and use data so that you comply with the new laws. That person needs to familiarise themselves with the relevant ICO guidance as a minimum. You should have processes to ensure that staff can use their new rights easily and have a process for detecting security breaches.
Step 7 – Review and update your external contracts and processes. Where you share personal data with third party service providers, the business should ensure that any contract with these ‘data processors’ set out clearly the data obligations and contractual consequences of any breach. This could include contracts with IT cloud contractors, benefit providers (including occupational pension schemes) and outsourced payroll providers. You will also need to have a system in place to deal with requests from employees to share their data with third parties.
Step 8 – Identify who is responsible for data protection compliance. You may need to recruit or allocate an existing employee the task of monitoring compliance with the GDPR. You are unlikely to need a specific data protection officer or DPO but you may want a dedicated data manager or team.
Step 9 – Training. You must ensure that anyone responsible for compliance with the GDPR has adequate training, resources, and help. If you fail to support those responsible you may fail to comply with the new laws and may even face increased levels of sickness absences and connected tribunal claims.
Step 10 – Stay compliant. It’s important that you keep your policies and processes under review to ensure that the business remains compliant in the future. You should undertake at least an annual audit of how data is processed, and regular training as new employees join or change roles. Those responsible for compliance should regularly check the latest guidance from the ICO website at www.ico.org.uk
Compliance with the GDPR by the deadline of 25 May 2018 is vital for all UK and European businesses. The Internet is buzzing with checklists and advice, but many employers seem to be focussing only on the data security issues and missing the vital requirements affecting employment contracts and policies. The above is another comprehensive checklist for you detailing all the practical steps to prepare for GDPR and all these steps are important but look particularly at step 5 and make sure you don’t rely on your existing employment contracts to comply.
For further information and a FREE ‘over the phone’ assessment of what is required for your business, call Henry Doswell of Doswell Law Solicitors on 01233 722942 or email us at firstname.lastname@example.org
Disclaimer: Whilst every reasonable effort is made to make the information and commentary contained in this blog accurate and up to date, Henry Doswell takes no responsibility for its accuracy and correctness, or for any consequences of relying on it. The information and commentary in this blog does not constitute legal advice to any person on a specific case or matter. You are strongly advised to obtain specific, personal advice from a lawyer about your case or matter.