22nd May 2018
GDPR: what employers need to do after D-Day (Part Two)
With the emphasis on complying with the requirements of the General Data Protection Regulations now shifting to what needs to happen after 25 May 2018, we continue the discussion on how to ensure compliance is maintained.
Record keeping and central register
Although businesses employing fewer than 250 people are not obliged to maintain records about all the personal information they hold and how it is collected, stored and used, it is likely that records will be required for the frequent processing of employee data for HR purposes and for the processing of information relating to an employee’s health. Records will also be required for the processing of high risk data, such as details of criminal convictions or other information which could affect an individual’s rights and freedoms.
Irrespective of the extent of your record-keeping obligations, consideration should be given to creating a central register within which certain key information is logged. This will help you to identify any patterns that begin to emerge in terms of potential shortcomings and in the types of requests being made by data subjects, and to plan for any action that needs to be taken specifically in respect of employees and other personnel.
Having a central register will also make it easier for you to spot when a serious problem has arisen, and where this needs to be reported to the Information Commissioner’s Office or affected individuals. It should also help to demonstrate the otherwise robust nature of your data protection compliance checks.
It is for you to decide – in consultation with your data protection officer if you have one – the information that should be captured, but this could include:
- the categories of data held and the purposes for which data is processed;
- the basis on which the right to process data exists, for example express employee consent or lawful purpose on the grounds of legal obligation, contractual requirement or legitimate business interest;
- details of any requests made by employees concerning their data, such as a request for the removal or correction of erroneous data or to have data erased;
- any time limits or restrictions that apply when dealing with a request;
- any steps that need to be taken while a request is considered, for example restricting continued processing where the purpose for which processing is undertaken has been challenged;
- the outcome of a request, together with reasons;
- any withdrawal of consent and the steps taken as a result;
- the date and means by which an employee’s personal data has been erased, including the steps taken to ensure erasure by any third-parties to whom the data has been transferred;
- any breach of the GDPR rules that need to be notified to the Information Commissioner’s Office, and, in the case of breaches which pose a high risk to a person’s rights and freedoms, affected personnel;
- any financial penalties or other sanctions imposed; and
- internal action taken to prevent further breaches and near misses.
Learn from your mistakes
Where a breach or near miss occurs is it important that you consider the reasons for this and take steps to ensure any gaps in your policies and procedures are plugged. Details of what happened should, where appropriate, be circulated to staff and an explanation given of the changes being introduced as a result.
It is important to learn from your mistakes, and, where notification to the Information Commissioner’s Office is required, to be able to demonstrate awareness of existing weaknesses and a willingness to address them, particularly as this could help to limit regulatory and financial sanctions.