With the General Data Protection Regulation (GDPR) coming into effect on 25th May 2018, here are 3 steps to take now.
Step 1: Conduct a Data Protection Audit – Inception to Destruction
The first step of our ‘GDPR – 3 Steps to Take Now’ is a data protection audit.
What does this mean and what should it cover?
*Data will be that which relates to a ‘living individual’. Some examples are HR documents, computer files, sales information, credit card and payment information provided by customers and customer lists.
A data protection audit means a review of the way you process personal data*. It will identify your current level of compliance under the Data Protection Act 1998. Your DP audit may take many forms and will vary dependent on the size of your business and how you process data.
A DP audit will cover the collection of personal data into your business to the destruction of it. Area’s covered under the DP audit will include all things HR, IT and sales at the very least. All policies, procedures, information notices, templates and communications will have to be reviewed. Whilst this blog focuses on employees, you will also have to cover customer data in your audit.
Consider the following, this will help you to understand the time this will take:
- Identify personal data gathered, what are your sources for employee data and customer data?
- Know why this data has been gathered, what is the purpose?
- Is it kept electronically or on a hard copy?
- How long is the data kept for?
- What systems are in place to identify the processing of the data is still valid?
- Demonstrate the consent you have to process the data; will this be valid for GDPR?
- Consent – are you relying upon explicit consent?
- Consent – have you identified the legal basis which you will rely on for the processing of data?
- Consent – have you documented a new procedure? Is consent obtained, clear and concise? Is there a withdrawal process documented? Have you provided details of third parties that will access to the personal data you process? How will you evidence this to demonstrate your accountability?
- Have you identified the type of personal data you have, will it be deemed a ‘special category’?
- How will you identify who can access the personal data?
- Do you understand what systems are used to store the data and how secure are they? Do you understand how an IP address may fall under the GDPR?
- Have you considered the impact of the IT servers and cloud storage you use and the security necessary to protect that personal data?
- Have you considered the devices which will contain or have access to personal data and how they should be managed in relation to GDPR?
- Electronic data, will you need to encrypt it or password protect it?
- Can you demonstrate how employees know their rights in respect of personal data
- Identify who is responsible for the destruction of data
- Have you implemented measures to prevent a data breach?
- What are your business reasons for using third parties? – health providers, occupational health and pension providers will be easier to provide legitimate reasons for using than payroll, H&S, HR and recruitment agencies.
- Third parties, have these providers demonstrated compliance of the GDPR to your business, if so how?
GDPR – 3 Steps to Take Now – This is only step 1!!… Phew, I’ve haven’t got time to deal with this, is that what you are thinking?
You’re correct, you cannot be expected to conduct a DP audit entirely on your own. You will need to identify a GDPR – team. This may be the IT Manager, the HR Manager, the FD, your Marketing Manager and other senior people.
Step 2: Comprehensive Gap Analysis – Accountability
Following a DP audit, you will be able to identify the gap between your current compliance level and that which you are required to meet of the GDPR.
The GDPR provides increased rights to individuals. Further it introduces the new ‘ACCOUNTABILITY’ principle for companies processing data. As an employer, you will have to adopt ‘data protection by design’, this will include measures such as:
- Protective measures
- Record keeping
“Now what?”- you may well ask!
Having understood where you do and don’t meet the requirements of the current DPA 1998, you can start to identify what steps are next to meet your obligations under the GDPR.
This will likely include:
- Updating policies and procedures and privacy notices
- Drafting new policies and procedures where they are absent
- Gather compliance evidence from data processors
- Identify your legal basis for processing
- Understanding better the ACCOUNTABILITY principle
Step 3: The final stage of our ‘GDPR – 3 Steps To Take Now’ is ….. Training
It will not be enough to tell your workforce of the new obligations placed on the company by GDPR, you will have to demonstrate it.
If an employee sends an email containing personal data to an incorrect recipient the you will need to demonstrate how this is dealt with. You will have to identify if it amounts to a breach that must be reported and if the data subject must be informed. Identifying this is not enough, you will have to demonstrate that relevant employees have been trained to know what their responsibility is under GDPR. Further you will have to have a process identifying stages to take should a breach occur.
You will need to design and deliver training to employees, this will vary in nature for different departments, seniority, responsibilities of employees.
That’s enough for this blog, don’t you agree?
This may appear to be quite intense and yes, it is, however it is manageable. This blog has only identified 3 steps which you should be taking now, so please understand there is much more to being ready for GDPR.
If you believe that you don’t have the knowledge of the Data Protection Act 1998 or the upcoming General Data Protection Regulation then …. why not hand it over to us at Jude Read-HR Consultancy?
We can come in and perform the DP audit for you, in fact we can assist you with the 3 steps to take now.
What we need:
- Your time to identify the key stakeholders in the business and gain an understanding of the nature of your business.
What you get:
- A ‘gap analysis’ report
- Assistance and management of your preparation to be ‘GDPR ready’
- Minimal impact on your business and customers
- You decide the level of input you want from us.
We’re booking up fast, don’t leave it too long.