The steps employers have already taken, and are still taking, in the run up to the implementation of the General Data Protection Regulation (GDPR) on 25 May will not end once the deadline has passed. GDPR compliance is a continuous process of monitoring, updating and improving, and the key issues employers need to consider include:
Auditing and updating records and notices
Employers need to continue to conduct audits of all personal data collected and processed about job applicants, and existing and former employees. What data is collected, how is it collected and why, what is the legal basis for processing it, where is it stored, who is it shared with, how is it keep secure and when is it deleted? These are the kind of questions that need to be considered and answered on an ongoing basis.
Employers should also check that they are only collecting and retaining personal data that is necessary for their purposes and that data is securely deleted when there is no longer a need for processing it. The data inventories and registers that have been completed as part of an organisation’s GDPR compliance should also be reviewed and updated on an ongoing basis so that, when new processes and data processing activities are implemented, they remain an accurate and up-to-date record. The new GDPR-compliant data protection notices that are being rolled out to all job applicants and employees also need to be reviewed and updated regularly to reflect any new data processing activities.
Responding to data subject rights
Employees are becoming more aware of the rights they have in relation to their personal data. Organisations need to ensure they have processes and procedures in place to respond to any request an individual makes, and that those processes and procedures are periodically tested to ensure compliance with the requirements of the GDPR. Questions to consider include: are there processes in place to locate and respond to a data subject access request within the one-month deadline? If an employee asks to correct inaccurate data, can HR locate all the relevant data (whether stored electronically, in manual files or with third-party service providers) and update the inaccuracies within the one-month deadline?
Key to any organisation’s compliance efforts is a workforce that understands the main data protection obligations and potential risks to the business. Employers should ensure that employees undertake regular data protection training so they know how to properly handle the personal data that they have access to during their employment. Data protection compliance needs to continue to be at the forefront of people’s minds beyond 25 May and staff training is one way to achieve that.
The risks of failing to be GDPR compliant are well known. The headline fines of up to €20m or 4 per cent of global turnover, whichever is greater, represent a significant increase on the current maximum fines. We do not yet know the extent to which the Information Commissioner’s Office will issue those fines but clearly no business wants to be the test case.
Whatever an organisation is doing to become GDPR compliant needs to continue far into the future. The 25 May is not the end: the GDPR is going to be an ongoing and evolutionary compliance journey for every organisation.
Sarah Thompson is an employment lawyer at McGuireWoods