So here is a quick summary of the things you should consider doing if you haven't already:
1. Carry out a mini-audit
It may be that you're almost there, or that you have a mountain to climb. However, you'll never know without some sort of audit of your current data processing systems, procedures and policies. Once you know where your gaps and vulnerabilities are, then you can plan the changes needed.
Questions you might want to ask yourself include: what nature of information do you hold on your employees? Where does it come from? What do you use it for? Do you share it with others? Are employees fully aware of what you are doing with their data? We can provide a simple audit matrix for this purpose if required.
2. Review your contracts
As part of your audit, you should review all the contracts and forms you use for employees, consultants and job applicants etc to identify which may need amending to ensure compliance with the GDPR. As well as your employment and consultancy contracts, you should also consider the wording of your information collection forms (for example, flexible working requests, staff surveys, subject access requests, personal information and benefit forms etc), job application forms and contracts with third parties (for example, benefits or training providers) to check if there is a data security aspect which needs reviewing. Where the terms of these contracts run beyond 25 May 2018 then the effect of the new law will already be relevant.
3. Consider your legal basis for processing
You should identify which of the legal grounds for processing apply to each of your processing activities and, where applicable, update your privacy notices to explain that.
The one which employers will particularly need to look at is consent. As explained in last week's blog, it is going to be difficult for employers to rely on employee consent for data processing except in specific one-off circumstances. Ideally, you should try to identify an alternative legal basis for different aspects of processing.
To the extent that individual consent is still appropriate / required in certain situations (for example, medical reports or use of likeness in media etc), this should be contained in a standalone document, with a clear and specific explanation for the reason for processing and the individual's right to withdraw consent. An individual's employment or benefits should not be made conditional on them giving consent.
4. Work on your policies and procedures
In addition, you should ensure that you have a published procedure in place for:
- detecting, handling and reporting data breaches;
- responding to subject access requests within the new, shorter timescales;
- deleting or amending employee data; and
- enabling employees to withdraw their consent to data processing.
5. Record keeping
This is, no doubt, something which HR teams have got used to doing under the current Data Protection Act, but to ensure continued compliance with the GDPR it will be critical to keep on top of record keeping and data retention requirements.
6. Identify a compliance lead and raise awareness
Even if you do not need a Data Protection Officer by law under the GDPR, you will need someone within your organisation to take responsibility for data protection and to know their stuff – whatever their job title. Depending on the size of your organisation, you may want a specific person in the HR team to lead on data protection from an HR perspective.
Make sure your management team is aware that this is a significant compliance issue which requires careful attention and resources. You will need to raise awareness of the implications of the GDPR across your organisation. It is likely that different training will be required for different levels of staff. For example, all staff will need to understand their individual responsibilities when it comes to data handling and reporting of breaches, whereas those with management responsibilities may need additional training in order to understand individuals' rights and how to give effect to those.
7. ICO guidance
We suggest you keep on top of both existing and new guidance issued by the Information Commissioner's Office (ICO) on its website. A key role of the ICO is to educate data controllers and the ICO's interpretation and application of the law will provide employers with extremely valuable guidance on how to implement the GDPR. The ICO has already issued a helpful "Overview" document, which explains key terms, as well as an updated document called "12 steps to take now" and draft guidance on consent.
8. Privacy impact assessments
Under the GDPR you must plan around privacy impact from the outset of projects. In some situations a privacy impact assessment will be mandatory. Even if it is not, it is best practice to conduct a privacy impact assessment before embarking on any new major projects or policy changes. You may also want to consider implementing a programme of regular audits or spot checks to ensure continued compliance.
We will be providing more information about the GDPR and the Government's Data Protection Bill as and when it's available, both via this WorkLife blog and our Information Matters newsletter, as well as offering specific training. In the meantime, if we can be of help with any of the points raised in this blog, please get in touch with your usual contact in the firm.