A guest-blog by Diana Collins of #ORBMember DLC Engage HR:
As 2018 commences, we are all focussing on what key things we should be doing through the year and hopefully, you will have GDPR, the new data protection regulation, firmly etched on your calendar for 25th May 2018…… right?
As background, EU GDPR is the new General Data Protection Regulation, a European Union (EU) privacy regulation that was signed into law back in April 2016.
Since 1998 the Data Protection Act has served the role of safeguarding personal data however, some 20 years on and the world has changed – significantly. We have seen huge technological advancement with collection and use of data dominating almost every process you can think of. Worldwide. HR Data, Client Data, Suppliers Data and Customer Data. Data on us, personal data, personal sensitive data, our name, address, date of birth, banking details, health information, email addresses, passwords …… the list goes on. Data is valuable and managing the risk of this data be it on a system or paper, from being compromised, is the responsibility of every business who is involved in collecting, storing, processing or handling personal data.
So as a small business do I really need to be doing anything?
Yes, the regulation applies to all sizes of business, from the largest of organisations through to a sole trader. If you collect, handle, process, store or manage personal data on an EU citizen, as part of your business, the regulation will apply.
You will be referred to as a Data Controller. If you are processing personal data on behalf of another business, you will be referred to as a Data Processor. In some instances, you may be both.
What about Brexit – do I really need to be doing anything?
Brexit has no impact, as regardless of where you are in the world, if you process data on an EU citizen you need to comply with EU GDPR
What one key thing should I be aware of regarding GDPR?
The new regulation states that businesses must demonstrate ACCOUNTABILITY – the regime will be far stricter, with greater penalties than the current Data Protection Act.
As a business you will need to actively demonstrate ongoing compliance and appropriate governance. This is not a “tick the box and put it away in the drawer to gather dust” exercise – this regulation means business and is absolutely about protecting personal data on consumers and giving them more control over how that information is collected, stored, shared and used. GDPR states that you will implement “appropriate technical and organisational measures that ensure and demonstrate you comply”.
How much will I be fined if I do not comply?
There is a duty on all businesses, no matter what size, to report certain types of data breach to the ICO. The specific term is “where it is likely to result in a risk to the rights and freedom of individuals” – The ICO give examples, “where it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.” You have 72 hours in which to report the breach.
Companies found in breach of the regulation, be they the Data Controller or Data Processor, can expect fines of up to 4% of annual global turnover to a maximum of 20m Euros (£17m).
What would a personal data breach look like?
The ICO have provided the following examples:
“Access by an unauthorised third party; deliberate or accidental action (or inaction) by a controller or processor; sending personal data to an incorrect recipient; computing devices containing personal data being lost or stolen; alteration of personal data without permission and; loss of availability of personal data.”
What systems do you have in place to report a breach? Create, document, update, check it can work and communicate this to relevant staff in your business and to any third-party suppliers involved in handling your data on your behalf.
What rights will individuals have under GDPR in relation to personal data held on them?
“The right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and, the right not to be subject to automated decision making including profiling.”
Subject Access Requests will require you to respond within one calendar month and without charge – currently the period is 40 days.
Do you have systems and procedures in place that will work, if such a request comes in – are the logistics there to enable you to source, collate and present the information within a month?
I know I already comply with the current Data Protection Act 1998, do I need to be doing anything more?
Most of the rights referred to above are covered by the current Data Protection Act 1998 – but use this forthcoming legislation as an opportunity to review what data you hold and how securely you are holding it. A data subject could be a member of your staff for example. If you were asked to erase all personal data that you hold on someone could you retrieve the information from your systems easily, do you know where all the information is stored and on what systems? Where all the paper records are kept and by whom?
Remember that you are accountable and therefore will need to demonstrate that you understand the new legislation, what your responsibilities are and that you have documented, policies and procedures in place that work, that individuals within your business understand what constitutes a breach and know what to do.
What practical steps can I take to demonstrate I am underway with complying with the new regulation?
- Identify what types of personal data you have and create a list
- Consider where the data is coming from and what your lawful basis is for processing it – document this, for example, why do you collect it, what do you do with it, where do you keep it, how long for, do you really need it, can you evidence consent to holding it, have you been clear to that individual that you are holding it and why? Who else has access to it, why? etc
- If you are relying purely on consent, are you aware of what you should be doing to comply? What records are you keeping? Can you evidence you have sought consent?
- You should not hold onto information for any longer than is necessary – you should not be keeping personal data or records on a “just in case I might need it in the future” basis.
- Review your privacy notice/statement, update it to ensure you are very specific about what you do with personal data and what steps data subjects can take as far as their rights are concerned. If you don’t have one, you will need one.
- Transparency – all information in relation to personal data and how you are handling it, needs to be clear, unambiguous, accurate and limited to what is necessary
- Review your procedures and policies
- Make your staff aware – train them in any new processes
Where can I look up further information and guidance on the new regulation?
The ICO is the UK’s independent authority set up to uphold information rights in the public interest – they are the UKs supervisory body for the new EU GDPR regulation.
This is a link to their website which includes GDPR 12 steps to take now and Getting Ready for GDPR checklists
I have staff records and associated documentation, should I do anything?
Yes, without a doubt. Hopefully you are already complying with the current data protection regulation, however you will need to identify and document the data you hold, carry out an audit and review procedures to reflect requirements going forward. Specifically, a challenge will be responding to any subject access request in the new time frame of one month. Reviewing third party supplier agreements where you outsource the handling or processing of personal data is key also, think Payroll provider for example. Having a Privacy Statement relevant to HR personal data collected, for use as early as the recruitment stage too should be on your list too.
This article has been written to provide an overview only and I hope you found it useful. It is a vast subject and this article certainly hasn’t covered everything. If you would like to understand more about GDPR I am available to provide consultancy support to you, particularly on your HR related personal data.
If you would like to contact Diana about the subjects covered in this guest-blog then she can be contacted in the following ways via DLC Engage HR on 07540277610 or via email at firstname.lastname@example.org
DLC Engage does not accept any liability, whatsoever for any direct or consequential losses arising from any use of this article or the information contained therein, or out of the use or reliance on any information set out herein. Reference should be made to the website www.ico.org.uk for up to date and current information.