24th April 2018
GDPR: what employers need to do after D-Day
Much of the publicity surrounding the General Data Protection Regulation has focused on what needs to be done in the run up to 25 May 2018 when the new data protection regime comes into force. However, it is what happens beyond this date that really matters because it is only when the processes and procedures introduced to ensure compliance actually ‘go-live’ that their effectiveness can be assessed.
Processes and procedures introduced to ensure GDPR compliance will only be effective if they are followed consistently and reviewed regularly, and if lessons learned from breaches or near misses are translated into changes in practice. Concentrating on ensuring that this happens is what employers need to focus on.
Consistency of approach
You need to ensure that everyone who works for or with you is aware of your policy on data protection and of the procedures that need to be followed to ensure the processing of personal data is carried out fairly.
A copy of your data protection policy and privacy notices should be made readily available, and where necessary appropriate and targeted training provided. Checks to ensure the correct procedures are being followed should be carried out regularly and instances of non-compliance dealt with swiftly. Training on GDPR for those new to your business should be included as part of the induction process.
Particular attention should be paid to long-standing members of staff who may have got used to the ‘old way’ of doing things and who may therefore struggle to make the move to doing things in the way required under the new rules.
Remember that privacy notices under the new regime will need to contain more information about your processing activities, including how long personal data will be stored for, whether it will be transferred to other countries, the right to make a subject access request and to have information corrected or erased in certain circumstances. As you get used to working under the new rules, these will need to be reviewed to ensure they cover all the bases.
Employees should be reminded of the importance of ensuring that their personal details are kept up to date and of reporting any concerns they have as soon as possible. This applies not just to their own data but to data held about colleagues, clients, suppliers and other third parties too.
Where you intend to monitor your employees’ activities, for example to check for excessive use of the internet for personal purposes or to detect and prevent criminal activity, employees need to be made aware of this.
Policies and procedures in relation to data protection should be viewed as living documents that need to be updated and tweaked in response to changes in the way data is handled and to deal with any identified gaps in provision.
You should nominate someone to take charge of the review process and ensure your policies and procedures remain fit for purpose.
Remember, the penalties for getting things wrong can be severe: a fine of up to €20 million or four percent of annual worldwide turnover and the right for affected data subjects to claim compensation, not just for financial losses but also non-financial harm, such as personal distress or upset.
Extra caution when someone joins or leaves
Any checklists you have for new starters or departing members of staff should include a data protection section. For new starters, you need to ensure that you have thought about the data you will want to process and why that is justified and that your policies and procedures on data protection have been explained and made accessible to them. Give thought to any additional considerations that arise with individual employees, such as the need to take extra care with information about criminal convictions.
Think about data submitted as part of the job application process, both for successful and unsuccessful applications. Will CV’s, correspondence and interview notes be retained and if so, on what basis and for how long?
With departing employees, you need to consider what should happen to any personal data and whether a request for erasure should be accepted. Broadly speaking, such a request can and should be refused where there is a legal obligation to continue to use the information, for example to comply with regulatory requirements, or where you believe that it may be needed to bring or defend a claim of some sort.
This article originally appeared on the Chadwick Lawrence website.