Key GDPR Steps to be Taking Now
Speaking to clients over the last few weeks has made it clear that the information surrounding GDPR has people confused, and the hundreds of pages of guidance published by the Information Commissioner’s Office does not appear to be shedding much light.
So, what does ‘GDPR compliance’ in respect of your employees’ data involve?
- Carrying out a data audit – How can you know whether employee data is being processed in compliance with the GDPR if you do not know what data you hold? This step sounds simple but can take some time to complete, particularly if you have a large workforce. It is important that you carry out your data audit before the GDPR comes into force on 25th May 2018.
- Work out your legal basis for processing – In addition to knowing what data you hold, you also need to decide if it is being held legally in accordance with the regulations. Do you have a valid legal reason for holding employee data? There are 6 potential legal bases prescribed under the GDPR. You need to know whether data is being held accordance with a legal requirement An employee’s national insurance number which allows you to deduct tax is a good example. Is it necessary for their contract of employment, such as their bank details to allow you to pay their salary. Remember you cannot easily change your legal basis for holding data after 25th May 2018, so you must have this in place before then. The fines applicable under the new regulations are much higher – in some circumstances up to €20million or 4% of worldwide annual turnover, whichever is the greater. Whilst those may be ‘headline figures’ designed to get your attention, the likelihood is that the ICO will be seeking to make examples of non-compliant companies early on.
- Review your contractual documentation, policies and procedures – Most companies will already have a data protection policy in their staff handbook, however that is now likely to be out of date and require amendment. You may also have a generic consent to process employee data in your contracts of employment. However you should remember that it is unlikely that “generic consent” will now be sufficient to ensure that you are in compliance with your obligations, and you should be relying on other legal basis to retain the data you hold. You also need to put in place procedures for destroying data which you no longer require. For example, many of my clients retain applications forms and CV’s from when members of staff joined their company. This information often dates back several years, but do you need to keep it? The Information Commissioner’s Office suggests not! The ICO recommendation is that information relevant only to recruitment should only be retained for 6 months after the start of employment and therefore you must have procedures in place ensuring that you at least review such data after that period has expired and take a positive decision to retain. Be prepared to give your reasons – the ICO could ask you to explain your legal basis for holding any data at any time.
- Carry out GDPR training with your key personnel – How many of your employees handle personal data, whether on behalf of their colleagues or your customers? And how many of those members of staff will be aware of the requirements of the GDPR? It is important to ensure that your staff are aware, not only of the GDPR requirements, but the company’s own policies and procedures for handling personal data. In the recent case of Various Claimants v WM Morrisons Supermarket plc, Morrisons were liable for a data beach caused by a ‘rogue’ member of their IT department who posted the payroll data of almost 100,000 of his colleagues on a public file-sharing website. In that case the employee in question deliberately leaked the data, motivated by a grudge against the supermarket. However even an accidental breach by an employee who is simply unaware of the requirements could lead to severe (and expensive!) consequences for your business, so training is key.
The new regime comes in on 25th May 2018. You need to be ready by that date. As ever in these situations they will be looking for sacrificial lambs to get penalised in order to emphasise the consequences of non-compliance. Don’t let it be you!