The General Data Protection Regulation (GDPR) is European legislation which, despite Brexit, will still come into force in the UK, the latest date for compliance being 25 May 2018. It will apply to all businesses which process personal data i.e. data relating to individuals. This means that it will apply to the use of employee data in HR, IT and the wider business, as well as suppliers or customers who may be individuals, sole traders or partnerships. The Information Commissioner’s Office (ICO) will be the government body whose role it will be to both assist businesses to comply but to also monitor and enforce through the use of fines. The GDPR provides a broader definition of ‘personal data’ than used in the Data Protection Act (DPA) to reflect the modern world of technology. There is also a special category of personal data called ‘sensitive personal data’, the definition for this is similar to the DPA but also includes biometric or genetic data. The legislation sets out 8 rights for individuals: the right to be informed; right of access; right of rectification; right to erasure; right to restrict processing; right to data portability; right to object; and rights associated with automated decision making and profiling. Further, it promotes accountability and governance and makes the obligations of companies more explicit than previously in the DPA. Companies will be expected to put in place appropriate but proportionate measures and some previous best practice principles will now become legal requirements. What should you do from a HR stance?
1. Visit the ICO website
Documents specifically aimed at SMEs and a new telephone advice service are on www.ico.org.uk/for-organisations/business/.
2. Conduct an employee data mapping exercise
3. Determine a lawful basis for processing personal data
Decide which of the 6 lawful bases you intend to rely on to process personal data. This must be documented and retained.
4. Appoint a Data Protection Officer if needed
5. Review your Data Protection Policy and Procedure
6. Review your Data Security Policy
7. Review how you obtain consent
This applies to candidates during the recruitment process; new and existing employees; and those leaving the organisation. Specific clauses can no longer safely be included in an employment contract.
8. Introduce privacy notices to all staff and all new joiners in the future
9. Review the arrangements for transferring data to third-parties
10. Review arrangements for transferring data internationally outside of the EU
11. Introduce training for all staff both on their responsibilities and rights
12. Introduce annual internal audits to ensure data maintained is accurate and processes are being followed
13. Consider signing up for a code of conduct or certification scheme
Not legally required but may be an appropriate decision for some organisations. Note, the nature of SMEs is taken into account when looking at compliance.