Much of the publicity surrounding the General Data Protection Regulation has focused on what needs to be done in the run up to 25 May 2018 when the new data protection regime comes into force. However, it is what happens beyond this date that really matters because it is only when the processes and procedures introduced to ensure compliance actually ‘go-live’ that their effectiveness can be assessed.
For employers having to deal with the personal data of new joiners, as well as the data of existing and departing members of staff, the challenges of ensuring continued compliance are significant. In part one of a two-part series of articles Kevin Sullivan, offers some practical advice on the steps you can take to make the task easier.
‘Processes and procedures introduced to ensure GDPR compliance will only be effective if they are followed consistently and reviewed regularly, and if lessons learned from breaches or near misses are translated into changes in practice’, says Kevin Sullivan. ‘Concentrating on ensuring that this happens is what employers need to focus on.’
You need to ensure that everyone who works for or with you is aware of your policy on data protection and of the procedures that need to be followed to ensure the processing of personal data is carried out fairly.
A copy of your data protection policy and privacy notices should be made readily available, and where necessary appropriate and targeted training provided. Checks to ensure the correct procedures are being followed should be carried out regularly and instances of non-compliance dealt with swiftly. Training on GDPR for those new to your business should be included as part of the induction process.
Particular attention should be paid to long-standing members of staff who may have got used to the ‘old way’ of doing things and who may therefore struggle to make the move to doing things in the way required under the new rules.
Remember that privacy notices under the new regime will need to contain more information about your processing activities, including how long personal data will be stored for, whether it will be transferred to other countries, the right to make a subject access request and to have information corrected or erased in certain circumstances. As you get used to working under the new rules, these will need to be reviewed to ensure they cover all the bases.
Employees should be reminded of the importance of ensuring that their personal details are kept up to date and of reporting any concerns they have as soon as possible. This applies not just to their own data but to data held about colleagues, clients, suppliers and other third parties too.
Where you intend to monitor your employees’ activities, for example to check for excessive use of the internet for personal purposes or to detect and prevent criminal activity, employees need to be made aware of this.
Policies and procedures in relation to data protection should be viewed as living documents that need to be updated and tweaked in response to changes in the way data is handled and to deal with any identified gaps in provision.
You should nominate someone to take charge of the review process and ensure your policies and procedures remain fit for purpose.
Remember, the penalties for getting things wrong can be severe: a fine of up to
€20 million or four per cent of annual worldwide turnover and the right for affected data subjects to claim compensation, not just for financial losses but also non-financial harm, such as personal distress or upset.
Any checklists you have for new starters or departing members of staff should include a data protection section. For new starters, you need to ensure that you have thought about the data you will want to process and why that is justified and that your policies and procedures on data protection have been explained and made accessible to them. Give thought to any additional considerations that arise with individual employees, such as the need to take extra care with information about criminal convictions.
Where you intend to rely on employee consent to process personal information, you will need to ensure that this is expressly given: remember that standard form, catch-all consent clauses contained within a contract of employment or service agreement will not suffice. Instead, it will usually be preferable to rely on one of the legal grounds for processing the personal data of new recruits.
Think about data submitted as part of the job application process, both for successful and unsuccessful applications. Will CV’s, correspondence and interview notes be retained and if so, on what basis and for how long?
With departing employees, you need to consider what should happen to any personal data and whether a request for erasure should be accepted. Broadly speaking, such a request can and should be refused where there is a legal obligation to continue to use the information, for example to comply with regulatory requirements, or where you believe that it may be needed to bring or defend a claim of some sort.
The contents of this article are for the purposes of general awareness only. They do not purport to constitute legal or professional advice. The law may have changed since this article was published. Readers should not act on the basis of the information included and should take appropriate professional advice upon their own particular circumstances.