Like it or not, GDPR is going to impact all companies. As an example, consider the amount of personal data you hold on just your employees and LOSCs!
GDPR came into force in May 2016, with a two-year transition period becoming enforceable from 25 May 2018. The principles are very similar to EU Data Protection Directive, however, the GDPR contains a number of changes including:
- Enhanced documentation to be kept by data controllers
- Enhanced privacy notices
- More prescription rules on what constitutes consent
- Mandatory data breach notifications requirements
- Enhanced data subject rights
- New obligations on the data processor
- Expanded territorial scope
- Appointment of Data Protection Officers
- A significant increase in the size of fines and penalties
3 May 2018 – 22 days to GDPR enforcement
As part of GDPR you must document your processing activities and maintain records on several things such as processing purposes, data sharing and retention.
FIS is currently reviewing its Privacy Notice. We are looking at the data we gather through our website and content management system, analytics and cookies.
What should you include in your Privacy Notice?
What is covered by GDPR?
Both personal data and sensitive personal data are covered by GDPR. Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data and can also encompass pseudonymised data if a person can be identified from it. Sensitive personal data encompasses genetic data, information about religious and political views.
Who enforces GDPR?
GDPR is governed by the Information Commissioners Office (ICO), which has the authority to enforce stiff fines for non-compliance. Before you panic, the ICO is not out to get you, and as long as you have shown due diligence if you fall foul of GDPR it will be understanding.
Who needs to be aware of GDPR in your company?
In the first instance, directors and senior managers need to be aware of GDPR and take steps to ensure that the company meets its obligations. This will then need to filter down to other members of your organisation to ensure they are following procedures.
We would love to be able to give you a template/action plan to ensure you are compliant. However, how each company approaches GDPR will differ depending on the data the company processes and who has access. In the first instance, you will need to access where, and how, personal data you hold is being processed. This will dictate your action plan moving forward.
What is important is that you take action NOW!
As a starting point, undertake an HR Data Audit:
The audit process should track all HR data from the moment a candidate applies for a job until their employment has been terminated.
- What kind of data is being collected, where and why?
- How is the data used (i.e. processed) both internally and externally?
- How long is the data retained?
- Who has access to the data both inside and outside of the business?
- What procedures and controls are in place to keep data safe?
- Where is employees’ personal data stored?
Communicate with other stakeholders in the business (such as IT, legal, compliance, business managers) as part of any wider audit and GDPR compliance process.
Thoroughly review your practices, policies, procedures and processes to identify HR data flows.
Useful Guides and Links
There is a huge amount of information out there relating to GDPR. Just a few of the links we have found useful can be found below: