With the emphasis on complying with the requirements of the General Data Protection Regulation now shifting to what needs to happen after the regulation comes into force on 25 May 2018, Kevin Sullivan, concludes his two-part series of articles for employers on how to ensure compliance is maintained.
To view the first article in the series, please click here GDPR: what employers need to do after D-Day (Part I)
Although businesses employing less than 250 people are not obliged to maintain records about all the personal information they hold and how it is collected, stored and used, it is likely that records will be required for the frequent processing of employee data for HR purposes and for the processing of information relating to an employee’s health. Records will also be required for the processing of high risk data, such as details of criminal convictions or other information which could affect an individual’s rights and freedoms.
Irrespective of the extent of your record-keeping obligations, consideration should be given to creating a central register within which certain key information is logged. This will help you to identify any patterns that begin to emerge in terms of potential shortcomings and in the types of requests being made by data subjects, and to plan for any action that needs to be taken specifically in respect of employees and other personnel.
Having a central register will also make it easier for you to spot when a serious problem has arisen, and where this needs to be reported to the Information Commissioner’s Office or affected individuals. It should also help to demonstrate the otherwise robust nature of your data protection compliance checks.
It is for you to decide – in consultation with your data protection officer if you have one – the information that should be captured, but this could include:
Where a breach or near miss occurs is it important that you consider the reasons for this and take steps to ensure any gaps in your policies and procedures are plugged. Details of what happened should, where appropriate, be circulated to staff and an explanation given of the changes being introduced as a result. It is important to learn from your mistakes, and, where notification to the Information Commissioner’s Office is required, to be able to demonstrate awareness of existing weaknesses and a willingness to address them, particularly as this could help to limit regulatory and financial sanctions.
The contents of this article are for the purposes of general awareness only. They do not purport to constitute legal or professional advice. The law may have changed since this article was published. Readers should not act on the basis of the information included and should take appropriate professional advice upon their own particular circumstances.