According to a recent survey, almost half of businesses (48%) admit to being unprepared for the General Data Protection Regulation (GDPR) which will come into force on 25 May 2018.
With the changes now approaching at seemingly hurtling speed, here are some of the practical HR questions around GDPR you should consider:
What is the GDPR and why is it coming into effect?
The GDPR is effectively new legislation governing the collection and processing of personal data in the EU. The new regime aims to harmonise current data protection laws and to update existing (20-year-old) provisions to reflect changes over the years, not least to take into account significant changes in technology.
It’s important to note that while the GDPR stems from the EU the government has confirmed that the UK’s decision to leave the EU will not affect its commencement and the GDPR will effectively be incorporated into UK law.
What do businesses need to know?
GDPR introduces a raft of changes that businesses need to be aware of including: new rights for individuals, renewed obligations and accountability for better data management, new rules on reporting breaches.
In a nutshell, some of the requirements include:
- Providing additional information to individuals on how their data will be processed including how long data will be retained and; of the right to request amendment or erasure of data.
- Ensuring that consent for the processing of data is freely given, specific, informed and unambiguous.
Designating someone to take responsibility for compliance of data protection as a minimum and, in certain circumstances, to formally appoint a Data Protection Officer (DPO).
Complying with more detailed requirements for the security of data and notify regulatory authorities (the Information Commissioner's Office, in the UK) of personal data breaches within 72 hours.
What are the potential consequences of failing to comply?
Any business that breaches its obligations under GDPR may be subject to a fine of up to €20 million or 4% of annual turnover, whichever is greater. In addition, businesses may be subject to private claims for compensation in the event of a breach.
That said, the reality is that fines will very much remain a last resort and will often pale in comparison to the overall impact a breach could have on a business when it comes to reputational damage, lost business and the cost of remedial action.
What steps should HR take to ensure GDPR readiness?
The role of HR in preparing for GDPR will naturally vary from business to business. However, some of the ways HR can add real value is by:
- Reviewing, updating and ensuring clear communication of all relevant policies and procedures including Data Protection, Recruitment & Equality policies. For example, equal opportunities policies will need to be updated to explain any changes to the way sensitive personal data is stored and retained, whilst recruitment practices will need to be updated to ensure that only essential data is collected and isn’t retained any longer than is necessary (unless explicit consent is obtained) as part of any recruitment process.
Amending any relevant employment documentation to reflect requirements for greater transparency in relation to how data is processed. For example, HR should work with other stakeholders in the business to ensure privacy notices are updated and accessible.
Ensuring processes are in place and amended to comply with the updated rules on subject access requests. For example, policies will need to take into account that GDPR will introduce new timescales to comply with subject access requests (within one month instead of the current 40 days) and to reflect that it will no longer be permissible to charge up to £10 per request.
Ensuring appropriate mechanisms are in place to notify the regulator (and, potentially, data subjects) in the event of a data breach. For example, to reflect that any notifiable breach must be reported within 72 hours and to record the process which will be followed in such circumstances.
Working with IT to ensure that systems are compliant and able to facilitate the new requirements. For example, the right to be forgotten cannot be discharged by temporarily deleting, archiving or otherwise hiding information from view.
With the scale of the changes on the horizon, it’s naturally important that businesses prepare for the GDPR without delay. However, it’s equally important not to panic. Practical checklists and explanatory resources on the GDPR are readily available on the Information Commissioner’s Office (ICO) website and help is on hand to navigate the changes. By taking some basic, reasonable steps, businesses can work towards satisfying the requirements and avoid the likelihood of breaches and serious sanctions.
Kelly Pashley-Handford is head of HR services at Spencers Solicitors