The introduction of the GDPR places substantial obligations on organisations to demonstrate compliance. The bulk of this work should be carried out in advance of the implementation of the legislation in May 2018. To assist organisations in getting (and remaining) GPDR compliant, LAW has complied a suite of style documents which are now available on the client area of our website.
If you are responsible for preparing your organisation for the implementation of the GDPR, don’t miss our final public training sessions on this topic, which are running on 6th February in Glasgow and 8th February in Edinburgh. Book your place here. With a few months to go until the GDPR’s implementation, employers should take the following steps to demonstrate initial and ongoing compliance with their obligations under the GDPR.
Data processing register: create and maintain a comprehensive register of data processing activity. This is a critical starting point as organisations can only comply with obligations if they know what information is held, how it was obtained, what it is used for, who it is shared with and what the lawful grounds for processing are. LAW’s template “Data Audit” can, if maintained, form the basis of an organisation’s register of activity.
Privacy notices and policies: create or update privacy notices and data protection policies. For existing staff data, organisations may wish to use our combined “Employee Data Policy and Privacy Notice”. Alternatively, we have produced a standalone “Employee Data Policy” and a standalone “Privacy Notice”. Also available is our combined “Job Applicant Data Policy and Privacy Notice” which can be issued to applicants as part of a recruitment process. Organisations should also consider how DSARs and requests to exercise data subject rights will be dealt with and create or update policies where necessary. LAW guidance on DSARs and updated style documents will be made available in the coming weeks.
Carry out regular reviews: organisations should build in regular reviews of data audits or registers to ensure that the original purpose for which data was obtained is still relevant and that a lawful basis for processing still exists. If the purpose for using the data has changed, privacy notices should be updated and re-issued to staff. Data subjects should also be asked to confirm that the data held is still accurate.
Implement training: it is crucial that organisations consider any training needs in relation to data protection to help ensure that staff (including senior managers) are fully aware of their and the organisation’s obligations. This should not only include training on the legal framework of the GDPR but also the organisation’s own rules in relation to data security and reporting data breaches. LAW can assist with all aspects of HR and Employment Law training, including comprehensive data protection training. Contact our Training Manager, Lorna Gemmell, on 0141 271 5576 or at email@example.com for further information.
Implement “privacy by design”: consider data protection at the outset when implementing new processes, procedures, policies and systems: For example, if an organisation is upgrading its payroll system or introducing a new HR management system it would need to assess the privacy implications at the very start of the design process rather than as an “add on” at a later date. Data Protection Impact Assessments are also required in situations where data processing is likely to result in high risk to individuals:
- Where a new technology is being developed.
- Where a profiling operation is likely to significantly affect individuals; or
- Where there is processing on a large scale of the special categories of data.
Appoint a data protection officer: only some organisations will be under a legal obligation to appoint an independent data protection officer whose duties will be akin to those of an auditor. These are:
- Organisations processing personal data as a public entity
- Where the organisation’s main activities require the regular and systematic monitoring of data subjects on a large scale
- Where the organisation’s main activities consist of processing sensitive data on a large scale
Although most employers hold sensitive data, it is unlikely that processing will be sufficiently regular or large-scale for appointment of a data protection officer to be mandatory for the majority. However, employers should consider voluntarily appointing a Data Protection Manager or allocating responsibility for monitoring compliance to an existing member of staff / department.
Review arrangements with data processors: if organisations engage data processors who handle the employee data (e.g. an outsourced payroll function or pension administration) steps should be taken to check that these third parties have processes in place to protect data in line with the GDPR.