It’s hard to believe that following months of anticipation, the General Data Protection Regulation (GDPR) has been in force for over three months now.
Alongside this, the Data Protection Act 2018 received Royal Assent on 23rd May 2018. The Act makes provisions for how data protection law applies in the UK and stipulates the increased enforcement powers of the Information Commissioner’s Office (ICO).
The ICO has also drafted a new Regulatory Action Policy which sets out its enforcement powers and practices. Proposed new powers include no-notice inspections, compelling people and organisations to hand over information and making it a criminal offence to destroy, falsify or conceal evidence. The ICO aims to make decisions to take appropriate action in line with a framework of objectives; proportionate and consistent practices feature amongst these objectives. Following the completion of a consultation with stakeholders and the public (28th June 2018), the Policy is now subject to Parliamentary consideration and final approval.
What is the message from the ICO?
Although the ICO is very clear that it will not accept organisations that do not take adequate steps to protect personal data and deliver information rights, on the flip side its approach is designed to protect data subjects and support businesses to operate efficiently. As such, it advises that sanctions will not be used disproportionately. This does not mean organisations should revert back to old practices; data audit exercises and implementing data information polices remain vital in order to facilitate compliance.
The key action points to manage HR data remain unchanged – here is a reminder below:
Carry out a data audit
This is the first action point for all employers if they have not already undertaken this exercise, as it underpins all subsequent internal HR GDPR compliance measures. Employers should have an up to date inventory of the personal data handled, including special category personal data (e.g. medical records) which should be identified and managed with higher level security measures and will also need to consider where privacy impact assessments are required. Employers with digitalised cloud based storage solutions are less likely to have an onerous task ahead as this will simplify the data identification and classification process.
Below is a reminder of the data audit considerations:
- Fair, lawful and transparent processing of personal data
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes of
- Accuracy and kept up to date
- Kept for no longer than is necessary for the purposes for which the personal data is processed
- Security and confidentiality
Employee privacy notice/policy
Under GDPR employee privacy notices or policies must provide greater transparency about specific personal data processed and must identify all the purposes the personal data is required for. This will mean producing thorough and comprehensive documentation outlining the purpose and legal basis for processing and holding employee personal data.
Develop a data breach reporting procedure
GDPR places a prescribed timeframe of up 72 hours to report personal data breaches to the relevant supervisory authority – this is the Information Commissioner’s Office (ICO), for the UK. A typical procedure would refer to a designated data protection officer or another appropriate person responsible for personal data in the organisation. The procedure should set out a robust breach detection, investigation and internal reporting instructions. The procedure is likely to incorporate the wider scope of personal data affecting organisational or business activities.
Appoint a Data Protection Officer
This is a mandatory requirement for: public authorities, organisations that engage large scale systematic monitoring or organisations that engage in large processing of sensitive personal data (special category data). The scope and responsibilities will be in the wider context of personal data and not just focusing on HR related information held. Employers who do not fall into these categories are not required to appoint a Data Protection Officer, however, it is advisable to appoint a person with overall responsibility for all organisational personal data processing to enhance internal GDPR procedures.
For further information and support with any aspect of this article or details of our portfolio of GDPR services, please get in touch with CBW’s HR Consultants.