Please note: If you have an apostrophe in your name, please don't include the apostrophe on the payment page
GDPR
GDPR and new Data Protection Act Bill – what employers need to do now
Employers have dual obligations. They are obliged to comply with data protection law in respect of their employees' data and in respect of how their employees handle data in the course of employment. Here are some key points employers should consider ahead of the GDPR coming into force.
Allocate Responsibilities
Make sure you are clear on who in your organisation is responsible for data protection and overseeing changes required under the GDPR.
Review data being processed
Audit the data you process, what you do with it and why. Consider your various categories of data subject, including applicants, employees and clients. This will help you to understand where you need to tighten up or make changes to policies and procedures.
Review the basis on which you process data
It will be vital when the new rules come into force to understand which ground you are relying on to process data. It's common for employers to rely on employees' consent to process data. After May this will be valid only in very restricted circumstances. We recommend employers review contracts and if they are relying on consent, begin the process of amending, or issue new employee data processing notices setting out a different ground – for example to meet the legitimate interests of the employer. Where contracts are issued for new staff we recommend consent clauses are amended to refer to a different valid ground.
Review and update privacy notices
This can start now and include the additional information which will be required under the GDPR, for example details of retention periods and data subject rights including to complain to the Information Commissioner's Office (ICO). The ICO has produced comprehensive guidance on privacy notices under the GDPR. There is no one size fits all approach may not be suitable and organisations could require different privacy notices for different categories of data subject – for example applicants, employees or clients and customers.
Update and recirculate data protection policies
Draft terms of the new Data Protection Bill implementing the GDPR are expected later this month. Once these are clear we recommend updating policies and procedures with a view to having this in hand by the end of January 2018. Data protection policies should be regularly reviewed and updated afterwards and recirculated to staff so they are fully aware of their obligations when it comes to handling data. Regular compliance checks are also recommended as increased emphasis will be placed on being able to show compliance with data protection rules after the GDPR come into force.
Education and training vital to minimising risk of liability
All staff should be trained in their obligations under the GDPR and compliance should be monitored. If staff do not follow your rules action should be taken. If regular compliance checks show gaps in knowledge again this should be addressed by appropriate training.
Actively manage/delete data
The GDPR place great emphasis on minimising data processing so that no more is processed than is required for the particular purpose. Delete data which is no longer needed or which is out of date. Regularly review how much data you are keeping and why. If possible put in place standard retention periods and stick to them. For example if you are retaining data to show that you have complied with right to work checks this should be kept for two years after employment ends but no longer.
Plan to respond to Subject Access Requests (SARs)
We recommend all employers put in place a policy for recognising and handling SARs as we expect the volume to increase when the requirement to pay a fee is removed. Be aware that you will have less time to comply so need to be prepared to respond quickly. Additional information must be provided to those making a SAR and we recommend pro forma response letters are produced to streamline the response and ensure nothing is missed.
Data protection breach reporting
Develop a process for recognising, handling, reporting and responding to data protection breaches. Once the GDPR come into force breaches will need to be reported to the ICO within 72 hours of the organisation becoming aware of them and may also need to be reported to data subjects in some circumstances.
Internal communications will be vital
Make sure all the different parts of your organisation are speaking to each other and receiving the same message on data protection.
If you are still unsure on the effect the changes will have on your organisation, take early advice on getting your policies and procedures in shape to minimise the risk of hefty fines.
September 2017
Attachments:
• Employment_-_GDPR_and_new_Data_Protection_Act_Bill.pdf