GDPR and staff data: the final countdown

With just five months to go before the General Data Protection Regulation comes into force, Sybille Steiner outlines what HR departments need to do

1. Data audit

Businesses should carry out a data audit to identify areas where action needs to be taken to ensure compliance with the General Data Protection Regulation (GDPR). There is no set way to carry out a data audit, but employers need to understand the staff data held within the organisation: where that data comes from and where/how it is stored, what happens to it while it is within the organisation and when and how it is deleted. Where any areas of non-compliance are identified, or where activities pose a risk, the business will need to formulate a plan to address them.

2. Reviewing employment contracts and policies

Under the GDPR, consent must be specific, informed and freely given, which means individuals should have a genuine and free choice as to whether or not to consent to the processing and should be able to refuse or withdraw consent. It is very common within the UK for employers to have general ‘catch all’ consent clauses within employee contracts or data protection policies. These will no longer be valid forms of consent and employers need to review employment contracts and policies to decide whether consent should be relied upon at all and, if yes, in which form.

3. Reviewing data policies

The company’s data policy will most likely need reviewing. The updated data protection policy should set out clearly:

  • what personal data is and why data protection is important;
  • information about the employer’s collection and use of their personal data: on what basis and why this is processed;
  • what the data rights of employees are and how the employer will ensure these are upheld;
  • how data breaches are dealt with; and
  • the consequences, for the business and individual, of non-compliance.

The written policy should also set out when and how specific categories of personal data are deleted. It should include the new ‘right to be forgotten’, requiring employers to delete personal data where the data is no longer necessary for the purpose in relation to which it was collected, consent has been withdrawn or if the data was processed in breach of the GDPR.

4. Data breach

The GDPR will introduce a duty on all organisations to report any data breach within 72 hours, unless it is unlikely to result in a risk to the rights and freedoms of the individual affected. If the breach is high risk, the individual may also need to be notified. 

Businesses should therefore have an internal reporting procedure in place, which should include:

  • guidance on what constitutes a data breach;
  • decision-making protocols about whether notifications are necessary, who will be responsible for such notifications and timescales; and
  • recording systems for all breaches, including those where there was no obligation to notify the ICO.

5. Staff training

Properly trained staff can make all the difference, not only in demonstrating a business’s commitment to upholding the principles of data protection within the GDPR, but also in ensuring that employee data is properly and lawfully obtained, stored, processed and deleted, and in helping to prevent any data breaches. All staff should be trained in handling data and the training must be evidenced and monitored.

By taking these important steps, organisations will be ready to embrace the GDPR on 25 May 2018.

Sybille Steiner is an employment partner at Irwin Mitchell