By Floyd Graham
FG Solicitors
THE clock is undoubtedly ticking for employers as we edge ever closer to 25 May 2018 when the General Data Protection Regulation (GDPR) becomes law. Naturally, there will be those organisations that fail to comply with their obligations and make headlines if only through fines or strengthening a disgruntled employee’s ability to bring successful claims. But enough scaremongering!
The question on most employer’s lips is, what do we need to do to get ready? In broad summary there are five key steps:
* Data mapping
* A review of the key employment documents that touch and concern data protection
* Training staff on policies and what to do if there is a breach
* Dealing with Data Subject Access requests
* Appointing a responsible person with overall knowledge and gatekeeping responsibility.
The starting point for employers is what is now referred to as Data Mapping which, put simply, is to look at what data is held and processed, where it comes from and for what purpose it is processed. This will enable employers to identify their legal justification for processing it.
Historically, a significant proportion of employers have not really given much thought to the justification for holding the employee data that is held in their organisation preferring to rely on a clause in their standard employment contract requiring employees to give their consent to the employer using their data in whatever way they needed to. Once the GDPR is in force, placing reliance on employee consent may not only prove ineffective it may also result in an onerous administrative burden for employers.
Data mapping is a worthwhile exercise for employers of any size and will lead to those employers identifying and adopting the most appropriate GDPR compliant reasons for justifying data processing within their own organisations.
The next step for employers is to review existing documents, contracts of employment, policies and procedures in the staff handbook and staff privacy notice in particular. This is to ensure that they are all GDPR compliant. It is also important to ensure that any contracts in place with third party service providers for example payroll services providers are also GDPR compliant.
Employers need to ensure that their employees receive training in relation to what their obligations are such as record keeping, retention of data and reporting obligations in relation to breach of the GDPR.
The right of employees to make data subject access requests is nothing new but it is likely under the new regime that employers will see an increase in such requests. The GDPR has removed the right for employers to charge a fee save in exceptional circumstances and has also shortened the time limit within which an employer must respond to such requests from forty days currently to save in exceptional circumstances one month.
Finally in this summary, the responsible person or Data Protection Officer (“DPO”). Not all employers are required to have one but the process of deciding whether to put one in place is an important exercise for all employers to go through. If an employer choses to have a DPO time spent in selecting the right individual will be time well spent.
Employers are well advised to get the ball rolling, there is very little time left to define and implement an effective GDPR compliant infrastructure even if the process has already started.
The Team at FG Solicitors can help you with tailored best practice HR and legal audit solutions, beginning with evaluating your current data protection framework enabling you to confidently establish a GDPR compliance roadmap. We will work with you to identify remedial action tailored to your method of operation, thus ensuring a best fit data compliance framework. Regardless of the size of your organisation, we can tailor our GDPR support services to your specific needs.
If you would like more advice contact a member of our team on 01604 871143.
