Wondering what all the GDPR fuss is about? There is plenty of information out there – so here is our attempt to make it simple. Here are the practical steps that you need to be taking today in order to be ready for the new regime in May.
1. Review your contracts of employment
You probably have a standard contract of employment that contains a consent clause. After 25th May, you won’t be able to rely on this clause. Instead you will need to review your contract template and include a privacy notice which makes explicit what personal data you are collecting, why you need, what you’re going to do with it and how long you’re going to keep it. More on this below.
2. Train your people
You need to ensure that your employees know about the GDPR. This is especially important for those who have data processing as part of their jobs. They need to be aware of the changes and how they need to act differently after the new regulations come into force. You also need to make sure your people are aware of the rules around reporting data breaches to the relevant authority within 72 hours. You may also need to inform the subject of the data breach in certain circumstances. So you can see why it’s important that your people understand this.
3. Issue a privacy notice and make it publicly available
As mentioned in point 1, this is an essential step for both employees and job applicants alike. Resist the temptation to make it one of those 94-page terms and conditions documents that we all mindlessly agree to for all kinds of internet services these days: the regulations are very clear that notices must be easily accessible and easy to understand, as well as free of charge. The ICO has helpful guidelines around privacy notices on their website here: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/
4. Audit – and conduct and initial risk assessment
The precise details of this audit will depend on your business and what you do, however there are common principles. For example, start by ensuring that you are only collecting the minimum amount of personal information that you need for your business. Check all of your data storage: both physical and digital. Are they safe? Where are your biggest risks of data loss? Do you still need to keep data that way or can you change your processes? How do you get consent from your data subjects? Will it be sufficient for the GDPR? What Data Protection Impact Assessments do you need to carry out? Again, the ICO website has some helpful self-assessment tools to help you here.
5. Review the personal data you are currently holding – and have a big clear out
It is time to clear out the clutter! Do you need it full stop? If you do, do you need it stored in the same format? For example, could you scan physical data and store it electronically (more securely). Does your business rely on paperwork being taken off site? This could make it all the more important to move to digital storage. Digital devices can be password protected, but once lost, pieces of paper cannot be secured.
Finally, review your HR policies and procedures. This will include those that specifically reference data protection but will include others too that reference the processing of data such as your sickness absence and recruitment policies. And if you need any help with this – well, this is what we do. We can help you review your existing policies, and we can provide up to date, GDPR compliant policies on data protection. Contact us for more information on how we can help you further.