Head in the Sand about GDPR (General Data Protection Regulations)? Time for Action

don't be an ostrich with your head in the sand about GDPR
Get ready for GDPR

Well GDPR will be “live” on 25 May 2018 here in the UK and you still have time to get all your ducks in a row.
Given the focus of this website (Fantastic-Managers.com) on people management, this outline is primarily concerned with the effects of GDPR on employees and other workers. However, you will need to check about it effects on all areas of your business, especially the potential impact on customer engagement and handling of data. Visit the ICO site .https://ico.org.uk/for-organisations/guide-to-data-protection/

Firstly what is GDPR?

These are the new Data Protection regulations that are coming into force in UK law and derive from European Union law. But remember that this will persist in the UK past Brexit so it won’t be going away. Electronic data and technological capability have developed at a pace so that protection needs to be strengthened.

These regulations will affect all businesses regardless of size and purpose and are far more stringent than previous regulations. If you are thinking that you’ll look at this at some unspecified time when you can get round to it, think again.  Plan for it now. GDPR will take immediate effect.  There will be highly punitive financial penalties for breach plus the possibility of criminal sanctions in certain cases. Add to this the potential of expensive employee claims against you and you will see the urgency and necessity of addressing it now. Make no mistake, this law has sharp teeth.

So why all the fuss?

As I mentioned above, technological advances mean that information has the potential to be collected and collated from many sources and shared as never before. The Data Protection Act of 1998 is no longer strong enough.  More robust protective measures are very necessary to prevent unwanted, non-benign or even criminal use of personal data.
[Note, outside the scope of this article: if your business includes global data collection/production you will need to understand and comply with regulations within those countries too e.g. USA “Privacy Shield” ]https://ico.org.uk/media/for-organisations/documents/2014413/data-transfers-to-the-us-and-privacy-shield.pdf

In common with legal requirements in other areas where there has been a breach (e.g. such as environmental, bribery breaches etc) GDPR requires that businesses self-report. Instances include
• incidents that are likely to place the rights and freedoms of an individual at risk
• to inform the relevant authority within 72 hours of the business becoming aware of the breach
• notify the public without delay where there has been a serious breach

But help is at hand and the Information Commissioner’s Office has produced an excellent guide.  https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ You can find that various live overviews and training sessions are being put on by local and national organisations throughout the country.  https://www.eventbrite.co.uk/d/middlesbrough/gdpr/?crt=regular&sort=best

What should you do now to prepare for the new regulations?

Well, vigorous “spring-cleaning” comes to mind.  This is no quick flick of a metaphorical feather duster but a real root out of your policies, procedures and an in depth review of the data you already hold, why you hold it. You need to be diligent and make sure that you have the legal right to hold such information, that it is held securely and that indeed it is correct. Take action now to ensure data cleansing of all personal data that you hold both physically and electronically. Additionally, think wider: e.g. do your existing contracts and all policy/ procedure wording now comply with the new regulations? Do you use personal data for a different reason from the original purpose? If so, you will need to get specific consent to hold and process it.

There is a saying that there is no time like the present. You need to give this project priority if you are to complete it by the date that the regulations impact. Instruct someone to handle this who understands its impact and the ramifications of not getting it right.

Lawful basis

The right to hold and process data must have a lawful basis which could rely on express consent. But as an employer your lawful basis will rely on:
• contractual necessity (e.g. bank details for payroll processing)
• legal obligation (e.g. proof of right to live and work in the UK; proof of qualifications)
• vital interest (e.g. health information; next of kin details)
• legitimate interest (not centred around a particular item but must comply with the 3 part test – refer to the online ICO document)

You will ensure that your employees and workers fully understand what data you hold about them, what you do with it and why you need it. Each employee, worker and contractor should receive a data privacy statement which must be clear and transparent. This applies to existing employees and new ones. Do you still hold data from ex-employees: is it still necessary? (It might well be, for instance, necessary for evidence of exposure to hazardous chemicals but check that you only hold what is necessary).

What are an individual’s rights?

It is important to know what rights your employees have over your handling of their personal data so that you can be ready to take timely action if requested. You will no longer be able to charge for information requests about their personal data by individuals. So, the rights are:

1. To be informed: what data you will collect, what you will do with it, how and where it will be handled and stored; notify if you later use the data for a different purpose from its original collection.
You must respond to requests from an individual for information about held about them usually within 1 month
2. Data access: about the details of data held and how it is processed
3. Rectification: that you must correct any details are wrong
4. Erasure – “to be forgotten”.  This is complete erasure, not just archiving or deactivation (check that your electronic systems will do this)
5. Restrict processing: prevent sharing with other entities
6. Data portability: information held can be presented to the individual in an understandable form which they can take away
7. Right to object: e.g. to use of data under certain circumstances relating to research
8. Automated processing and profiling: that a manual intervention can be carried out.  It will be worthwhile to check any automated systems and ensure that manual override can be effected, if necessary.

What, Why, How, Where, When and Who handles data?

Create a data retention policy that defines how and why you collect the data. State who is responsible for its handling and how long you will retain it (define the necessity for keeping it). Look at the data that you collect when recruiting. For example you must get specific permission from an unsuccessful applicant to hold their CV once the job that they applied for has been filled. Ensure you have a data privacy statement relating to recruitment.

Think about where personal data moves to. In particular do the third parties that you contract with handle data correctly e.g. in order to handle areas such as healthcare, pension, payroll. Also are there any internal departments who may also have some details? Do they need it, is it restricted?

Importantly, ensure that each employee and worker is aware of the regulations.  Explain what it means for them personally and how it will impact their role. When issuing each person with a privacy document, go through it with them so that they are fully aware.

Do you need a Data Protection Officer?

Many organisations will not need to appoint a Data Protection Officer: this role has a specific significance within the regulations. It should be a senior role with access to the Board, yet independent from it. This person will have certain duties in their responsibilities to the Information Commissioner’s Office. Such organisations include

  • public authorities
  • organisations that
    – conduct large scale systematic data monitoring
    – perform large scale collation of criminal convictions and offences
    – handle public authority data

I hope you are now energised to take action. This article is a brief look at your obligations. So, have a look at the helpful and easy to read ICO website. There is a lot of information out in the public domain and “not knowing” is unlikely to cut much ice if you fail to meet the new data protection requirements.

GDPR compliance is important and failure to comply will have far reaching ramifications.

Disclaimer: The content in this blog post and website (including all responses to comments) is not to be considered legal advice and should be used for information purposes only.

https://ico.org.uk/for-organisations/guide-to-data-protection/
https://ico.org.uk/media/for-organisations/documents/2014413/data-transfers-to-the-us-and-privacy-shield.pdf
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
https://www.eventbrite.co.uk/d/middlesbrough/gdpr/?crt=regular&sort=best

ICO says: Because it could apply in a wide range of circumstances, it puts the onus on you to balance your legitimate interests and the necessity of processing the personal data against the interests, rights and freedoms of the individual taking into account the particular circumstances. This is different to the other lawful bases, which presume that your interests and those of the individual are balanced.

Copyright © 2018 Christine de Caux
All rights reserved. This blog, article and website or any portion thereof may not be reproduced or used in any manner whatsoever without the express written permission of the author except for the use of brief quotations in a discussion/ review.