Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
As we sip champagne reflecting on the first anniversary of the effective date of the European General Data Protection Regulation (GDPR), we consider the obligations that employers should bear in mind. In this article, we set out four key steps that employers should consider taking on the road towards GDPR compliance:
1. Audit and analyse your data
Businesses should work out what data they process and focus on the more unusual data, for example, CCTV or fingerprint access. Employers should then consider the legal basis for which they process that data. The most significant difference for employers adapting to GDPR was a shift away from seeking consent to gather and process data (which is generally not appropriate in the employment context) to relying on other legal bases for processing.
2. Update documentation
The updating of documentation was one of the main focus areas for employers in the run up to GDPR. Documents subject to review included:
- Privacy notices. Employers are required to put in place specific privacy notices for employees (and clients, if appropriate) to tell them what the business is doing with their data.
- Employment contracts. Employers will need to update their contracts for new employees. Some employers that process a large amount of personal data might want to consider adding data protection obligations into their contracts.
- Policies. Employers that process “special” categories of personal data (i.e., health, race or religion) will need to have a policy document in place to explain what data they process of this nature, how they intend to comply with GDPR, and how long they will keep this data. Employers may also want to implement data protection/security policies to set out how their employees must comply with their data protection obligations.
3. Assess and address risks
After all of the hype in the run up to GDPR, it can be easy to forget that GDPR is an ongoing obligation and not a one-time exercise.
Employers can work on assessing ongoing risks by considering the following steps.
- Privacy impact assessments. Employers should conduct risk assessments before doing anything high risk or unusual. Employers should be focused on anything they do that is out of the ordinary, for example, perhaps where automatic decisions are made by computer software during the recruitment process or where there is CCTV in the workplace.
- Criminal records checks. The appropriateness of these checks are less clear cut under GDPR than under the old law, but if employers process employee criminal records, they should think about the reason for conducting the checks and the risks involved in doing so.
- Security. Security is another key focus under GDPR. While this isn’t something new, there has been a renewed focus on security under GDPR because of the higher fines associated with violations. Employers should be thinking about password protection and encryption and IT security, for example, when transmitting personal data.
- Data breaches. Employers should spend time thinking about data breaches and how they would deal with them if (or when) breaches occur.
4. Demonstrate compliance
Once employers have put all of the work into complying with GDPR, it’s worth documenting what has been done to help ensure ongoing compliance, for example:
- Data Protection Officer. Some organisations will need to appoint a Data Protection Officer, to act as the businesses’ figurehead for GDPR compliance both internally and externally.
- Pay a fee. Employers will need to pay a fee to the Information Commissioner’s Office depending on the organisation’s size and turnover.
- Cross border issues. International businesses will need to put some thought into cross-border issues, for example, how they transfer data in and out of the EU and documenting those flows.
- Keeping records. Businesses will need to maintain a record of all of their processing activities (which would hopefully be a straightforward task if they’ve conducted the analysis at point 1 above).
Readers interested in more information about employer duties under GDPR—including a more robust discussion of data breach protocols and how to deal with subject access requests—may wish to listen to a recording of our recent webinar on this topic, available here. Employers with questions about their data protection compliance projects should consult with experienced counsel for assistance.