General Data Protection Regulation (GDPR) – One month on
Many HR professionals will have spent months preparing for the GDPR. Now one month on, you will know that compliance will involve your constant attention.
How has GDPR impacted you?
The new regulations will have impacted upon most HR activities from general consent to processing personal data in contracts of employment.
Privacy notices will have been updated with organisations outlining:
- The lawful basis for processing data,
- Data retention periods, and
- The right of complaint to the ICO.
The time frame for answering Subject Access Requests has reduced from 40 days to 1 month, and in most cases a charge can no longer be made.
Is your organisation fit for purpose?
GDPR checklist specifically for HR
- Audit information systems to find out who holds what data, and why.
- Consider why information is collected and how it is used.
- Issue policies and guidelines for managers on data security and retention about how to gather, store and retrieve data.
- Review your recruitment processes and template documentation.
- Review your employee privacy notices to ensure they are compliant with GDPR. Is it clear, transparent and explains how an individual’s data is used.
- Audit your employment contracts (redrafting any data protection clauses and removing any general consent clauses).
- Check the security of the information stored.
- Check whether consent has been freely given and option for the right to change mind.
Our guide, GDPR changes to policies and data, will help you make sure your HR department is compliant.
Have your staff been trained?
It is vital that employees understand the importance of protecting personal data, are familiar with your company’s security policy and put its procedures into practice.
Of particular relevance to employers is Article 32 4, which requires controllers and processors to take steps to ensure that anyone acting under their authority with access to personal data does not process that data unless they have been instructed to do so.
The ICO’s guidance is clear that these steps include initial and refresher training for employees, including:
- The organisation’s responsibilities as a data controller or processor under the GDPR;
- Staff responsibilities for protecting personal data (including the possibility that they may commit criminal offences if they deliberately try to access or disclose data without authority);
- The proper procedures to identify callers;
- The dangers of people trying to obtain personal data by deception (e.g. by pretending to be the individual whom the data concerns, or enabling staff to recognise ‘phishing’ attacks), or by persuading staff to alter information when they should not do so; and
- Any restrictions the organisation place on the personal use of your systems by staff (e.g. to avoid virus infection or spam).
Clearly, one month on many companies are still not fully compliant. According to a survey carried out by the Ponemon Institute, 52% of companies expected to be compliant on or before the May 25th deadline, 40% expected to become compliant after the deadline and 8% of companies were not sure when they would achieve compliance despite the threat of fines.
For further information on how we can help support your company with GDPR, please contact one of the team.
ICO publishes Personal Data Guidance for UK Organisations
The Information Commissioners Office (ICO) has published detailed guidance for UK organisations on determining what is personal data under the GDPR.