General Data Protection Regulation (GDPR) is now officially in force. It is very likely that many employers have been saturated with a plethora of communications around this new territory of regulation. However, recent figures suggest that only 5% of EU companies believe that they are compliant with all GDPR requirements. To provide some perspective and focus, here is a reminder of the essential action points for HR:
Carry out a data audit
This is the first action point for all employers if they have not already undertaken this exercise, as it underpins all subsequent internal HR GDPR compliance measures. Employers should have an up to date inventory of the personal data handled, including special category personal data (e.g. medical records) which should be identified and managed with higher level security measures and will also need to consider where privacy impact assessments are required. Employers with digitalised cloud based storage solutions are less likely to have an onerous task ahead as this will simplify the data identification and classification process.
Below is a reminder of the data audit considerations:
- Fair, lawful and transparent processing of personal data
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes of
- Accuracy and kept up to date
- Kept for no longer than is necessary for the purposes for which the personal data is processed
- Security and confidentiality
Employee privacy notice/policy
Under GDPR, employee privacy notices or policies must provide greater transparency about specific personal data processed and must identify all the purposes the personal data is required for. This will mean producing thorough and comprehensive documentation outlining the purpose and legal basis for processing and holding employee personal data.
Develop a data breach reporting procedure
GDPR places a prescribed timeframe of up to 72 hours to report personal data breaches to the relevant supervisory authority – this is the Information Commissioner’s Office (ICO), for the UK. A typical procedure would refer to a designated data protection officer or another appropriate person responsible for personal data in the organisation. The procedure should set out a robust breach detection, investigation and internal reporting instructions. The procedure is likely to incorporate the wider scope of personal data affecting organisational or business activities.
Appoint a Data Protection Officer
This is a mandatory requirement for public authorities, organisations that engage large scale systematic monitoring or organisations that engage in large processing of sensitive personal data (special category data). Employers who do not fall into these categories are not required to appoint a Data Protection Officer, however it is advisable to appoint a person with overall responsibility for all organisational personal data processing to enhance internal GDPR procedures.
For further information and support with any aspect of this article or details of our portfolio of GDPR services, please get in touch with CBW’s HR Consultants using the details below.