Monday, 11 September 2017

Of Preparing for GDPR - it's probably not as easy as you think....?!

All the talk at the moment is about the GDPR. My experience of having worked in the area of compliance law for more than 20 years is that some laws are taken seriously and some are not. The new Regulation due in force next May definitely belongs to the former category. Here's how one top practitioner in Northern Ireland is advising employers to be GDPR ready. Thanks to Anna Flanagan of Pinsent Masons for this information


1.     Identify the lawful basis for processing all personal data and keep a record of this
You should bear in mind the record-keeping obligations under the GDPR and start keeping a record of the lawful basis for processing all personal data.
The conditions for processing have slightly changed – review the changes and ensure your organisation can use one before processing data.
Try to avoid consent as unlikely to be valid in an employer/employee relationship. Update your privacy notice to include the reason for processing (new requirement under GDPR);
Examine Retention periods of personal data
Look at our long your organisation holds onto to personal data, (particularly for example for ex-employees or unsuccessful applicants for job vacancies.)
Think about whether you have a logical reason for your current retention periods (if there are such periods). Does this reason apply to all the personal data you hold, or could some be deleted? The GDPR does not specify particular retention periods, but the general principle not to hold on to data longer than necessary remains.
Update Subject Access Request Policy
There is now a shorter timeframe for response (one month) and no fee payable, make sure your policy reflects this;
Can your organisation comply with Individuals new rights under GDPR? 
There are new data subject rights including the "right to be forgotten" or right to erasure (Article 17) which are building on current rights confirmed in case-law, and additionally, right to "data portability" (Article 20).
Ensure you have the appropriate policy and technology in place to recognise and comply with any of these requests within the relevant timescale.  
Train Staff
Roll out a training programme for staff on all the new GDPR implications ensuring they are aware of the relevant policies and changes.  Given that organisations are increasingly vulnerable to the risk of loss, damage or destruction of their data and the new requirement to notify the ICO within 72 hours of a breach, particularly ensure that staff are trained on how to keep data secure.
Join the many organisations who now do this training online. Not only do they find it more convenient and cost effective but it also generates a real time record of all training activity completed by staff.
Transfer of Data
Examine where Personal Data is transferred, including to Cloud/Storage providers. Look at all Personal Data outsourcing which could include long-term storage/archiving (where appropriate), payroll etc. Work out where the Personal Data is held and whether that is inside or outside of the EEA. Find out if there are appropriate contracts in place and if not consider or take advice on what mechanisms can be used to regularise transfers under the GDPR.
Special Categories of Data

Your organisation is very likely to hold "Sensitive Personal Data" for example relating to data subjects disability, ethnicity, religion or health. Consider whether your organisation has any special security measures in place for the processing and transfer of this type of information in particular. 

Our own e-learning modules on Data Protection in the workplace and getting ready for GDPR are also available online.

No comments:

Post a Comment