With just five months to go before the General Data Protection Regulation comes into force, we outline what your business need to do
1. Data audit
Businesses should prepare to conduct a data audit to identify areas where action is needed to ensure compliance with the General Data Protection Regulation (GDPR). Employers need to understand what staff data is held within the organisation: where that data comes from, where and how it is stored, what happens to it while it is within the organisation and when and how it is deleted.
2. Reviewing data policies
The company’s data policy may need reviewing. The updated data protection policy should set out clearly:
• what personal data is and why data protection is important;
• information about the employer’s collection and use of their personal data: on what basis and why this is processed;
• what the data rights of employees are and how the employer will ensure these are upheld;
• how data breaches are dealt with; and
• the consequences, for the business and individual, of non-compliance.
The written policy should also set out when and how specific categories of personal data are deleted. It should include the new ‘right to be forgotten’, requiring employers to delete personal data where the data is no longer necessary for the purpose in relation to which it was collected, consent has been withdrawn or if the data was processed in breach of the GDPR.
3. Data breach
The GDPR will introduce a duty on all organisations to report any data breach within 72 hours, unless it is unlikely to result in a risk to the rights and freedoms of the individual affected. If the breach is high risk, the individual may also need to be notified.
Businesses should therefore have an internal reporting procedure in place, which should include:
• guidance on what constitutes a data breach;
• decision-making protocols about whether notifications are necessary, who will be responsible for such notifications and timescales; and
• recording systems for all breaches, including those where there was no obligation to notify the ICO.
4. Staff training
Properly trained staff can make all the difference, not only in demonstrating a business’s commitment to upholding the principles of data protection within the GDPR, but also in ensuring that employee data is properly and lawfully obtained, stored, processed and deleted, and in helping to prevent any data breaches. All staff should be trained in handling data and the training must be evidenced and monitored.