Does your business store and process personal data? If so, whether it is data on clients, candidates or staff, the GDPR will be applicable. GDPR – or the General Data Protection Regulation – comes into force on 25th May 2018, and will be legally binding for everyone in the UK.
The GDPR directive looks at both Data controllers – and data processors – to operate within its regulation.
It’s therefore imperative that your business takes steps ahead of the May deadline, to make sure you are compliant with these stricter rules. So, what can you do? We’ve already covered some great ways to be GDPR ready, however the ICO has published more guidance on steps that data controllers should be taking now in order to prepare for GDPR.
Ensure that decision makers and key people in your organisation are aware that the law is changing and to appreciate the impact this is likely to have. Identify these people and get some advice.
Appoint a DPO
Designate a data protection officer within your organisation to take responsibility for data protection compliance. Although not compulsory for smaller businesses it is still worth considering appointing a DPO. It may also be worthwhile establishing a GDPR committee.
Carry out an Audit
Organise an information audit to document what personal data you hold, where it came from and who you share it with. If you don’t have an appropriate person within your company do head this up, then Fitzgerald HR can help you recruit.
Businesses need to keep written records in order to evidence how they are compliant with the accountability principle, a central concept of the GDPR. Look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. We can supply a handy spreadsheet to make sure you are covering all areas.
Review and Amend
Review how you seek, obtain and record consent in relation to data provision and whether you need to make any changes to this going forwards.
Update Privacy Notices
View current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. If you haven’t got any privacy notices in operation currently, then we can draft these for you.
Make withdrawing consent easy too
It must be as easy for an individual to withdraw their consent as it was to provide it in the first place. Businesses will need to carefully review their existing procedures and forms in relation to consent to ensure they are compliant with the GDPR.
Review data protection policies
Employers will need to review and most likely update their existing contracts of employment, Terms & Conditions and data protection policies and procedures to ensure they are compliant with the GDPR. Make sure they cover all the rights individuals have. Give Fitzgerald HR a call to get the review and amendment process started early, especially if you have a lot of employees.
Create Data Risk Assessments
Data Protection Impact Assessments (DPIA) will be compulsory if you are planning a new initiative, particularly if it uses new technology and if it involves “high risk” data processing procedures such as monitoring individuals or processing special categories of personal data.
Train your staff
Make sure all staff are aware of the change in legislation and how that may impact operations practically for them and the business.
Deal with Breaches
Make sure you have the right procedures in place to detect, report and investigate data protection breaches.
Other things to consider, if applicable to your business:
- Subject access requests will no longer charge a £10 administration fee to unlock all the relevant employee data, so make sure your policies, forms and documentation reflect the changes.
- Consider how you collect information in relation to children, specifically.
- If your organisation operates internationally, determine which data protection supervisory authority you come under.
The above list serves only as a handful of practical tips that employers should consider taking before May 2018. However, given the enormity of the GDPR, this list by no means addresses all areas of change which will continue to evolve. Contact Fitzgerald HR for further assistance.
Read more about the GDPR: