GDPR – Employee record keeping and beyond

In a series of blogs, Amelore begin to look at GDPR from a HR perspective to ensure employers are ready for the new requirements in respect of their employee data and beyond. This will form part of a continuous focus on this hot topic until May 2018 when GDPR goes live. We appreciate many companies may not yet of begun their GDPR journeys, so we will be offering advice and guidance in short blogs.  We will also help to signpost employers to useful information which extends beyond the processing of employee data.

GDPR is itself an extension of existing UK data protection laws. This new legislation builds on the Data Protection Act (DPA) which employers already need to adhere to. DPA principles cover areas such as ensuring employers keep accurate, secure information.

The ICO (Information Commission’s Office) are at the forefront of helping organisations understand this evolution of our data protection laws. They recently published GDPR Myths. This series of blogs helps to demystify the new regulations.

Data breach – what an employer needs to do?

In ICO’s latest blog they provide valuable advice and guidance on how employers need to respond if a data breach occurs. They report that some employers have expressed concern that any data breach needs to be reported and that huge fines will ensue. The ICO say this is not the case and that only breaches that are likely to risk people’s rights and freedoms will need to be reported.

The ICO also point out that fines will be proportionate and that companies who are open, honest and report without undue delay can avoid fines. It is expected that by now, larger organisations will already have appointed a Data Protection Officer (DPO). However, smaller organisations are also advised to consider who in their organisation is responsible for data. We would advise all organisations, no matter how small, to know who is responsible for data (again not just employee data) and who is responsible for reporting a breach should it occur. This starts to form a robust approach to data governance.

Employee data processing

Employee data processing will be a key focus for many organisations, however some employers may be worried about any potential changes to how they currently store their data.

All organisations will be storing employee records in some way, shape or form; so you are now advised to review these filing systems, including the security of the data you are processing in respect of employing people, to ensure robustness. We have already observed some organisations writing to their third-party data processers asking for evidence of their compliance.

Handlers of this data need to make sure they are processing data fairly and for legitimate purposes. Furthermore, if they are transferring it outside of the EEA there are specific safeguards in place.

For those employers wondering if the UK’s exit from the EU will affect GDPR the government has already confirmed it will not. However, please note that International companies operating across EU states will need to work out who their lead data protection supervisory board is.

Further still, forming a data protection working party or project team to audit what data is being processed is also advisable. Many companies are already helping organisations with data mapping and auditing. Amelore work closely with Mazars to provide a range of services for our clients.

In summary, the good news is that common sense does prevail and that the processing of data where it is necessary for the performance of a contract will be a valid reason for processing. If you have any queries or questions in relation to any of the points made please contact Amelore for further advice and guidance.

We will continue to focus on this topic as we approach next year tackling other aspects of the GDPR (link to first blog) in further detail; such as consent, the right to be forgotten, and subject access requests.

 

GDPR countdown – are you ready?

The new  General Data Protection Regulations (GDPR) come into place in May 2018, you need to start preparing now as time is fast running out.

Changes to the governance of data will have far-reaching consequences for businesses, GDPR will determine how your business does business, and particularly how it manages, protects and administers data in the future.

Europe has a plethora of different data protection regimes in each EU country. Organisations have to deal with many different sets of rules depending on where they setup their business and sell their products or services. The GDPR will harmonise data protection laws across the EU and will also apply to organisations across the world. Any company that processes personal data about EU citizens whether they reside in the EU or elsewhere in the world will need to abide by the GDPR.

European companies are still wrestling with how they are going to be compliant with the law in less than a year. Companies from other parts of the world may not have even heard of the GDPR, and therefore might not be aware of the possible impact upon them. As citizens from EU countries do business and exchange data with companies across the globe, the GDPR is something that international companies outside the EU need to be aware of and should be planning for. Failing to do this could seriously hinder their ability to market and sell their products and services in the EU.

Who needs to be GDPR compliant?

It is imperative that organisations that offer goods and services to EU citizens, and that subsequently process their personal data, are compliant with the GDPR. 

A global study by Veritas showed that businesses are worried that they will not be compliant by the May 2018 deadline. Research showed that 56 per cent of respondents in Singapore, 37 per cent in the US and more than 60 per cent in Japan and South Korea, are worried they will be unable to meet the May 2018 deadline for compliance.

More than 90 per cent of organisations in Singapore showed concern by the potential business disruption from GDPR. Around 20 per cent fear that their company may go out of business as a result.

These are alarming figures for foreign companies that do business in the EU.

The GDPR represents a shift across the world towards a culture of safeguarding personal data, especially considering the global reach of the legislation.

What you should already be considering

As the clock is ticking companies should be working towards compliance in a structured manner including:

  • rolling out GDPR awareness programmes across the business;
  • ensuring representation and input from all key business functions;
  • data mapping all personal data flows in and out of the organisation;
  • creating an information asset register; and
  • undertaking a gap analysis against the GDPR compliance requirements, including consent notices, privacy impact assessments and contractual arrangements with 3rd parties with whom personal data is shared.

These will form part of the building blocks to determining how much further work is required for the business to be compliant by Spring 2018. Many businesses will require significant changes to policies, procedures and working practices. Smaller businesses which collect process and store limited personal data may be less affected but may still need to make some changes to comply with the new legislation.

Clearly organisations that started to work towards GDPR compliance early on are ahead of the game and have a better appreciation of the level of effort that’s required to make some of the changes required to comply.