What employers must do to comply with new Data protection laws (GDPR) from 25th May ’18.
With under a 100 days to go before the General Data Protection Regulation (GDPR) comes into force, many employers are still wondering what their requirements are under GDPR. We are here to help you be compliant?
What employers should consider
The GDPR will bring some very important changes to data protection law. It will be supplemented in Irish Law by the DRAFT Data Protection Bill 2018, which has just been published. It is an opportunity for organisations to show their staff and clients how much they care about everyone’s personal data.
You must comply, so why not make it work for you.
Plan NOW for the 25th May deadline for the enactment of the GDPR and Data Protection Bill Below are 12 steps employers should be taking now:
1. Lawful basis for processing
Most employers currently rely on employees giving consent to the processing of their data in an employment context by including a clause in their employment contract. However, consent in this context is unlikely to be lawful under the GDPR and therefore employers will need to consider an alternative basis for processing employee data. Employees must be informed of the employer’s change in approach to processing their personal data before 25 May.
2. Privacy Notices
Employers will be required to inform employees of the following:
- what data they collect
- what lawful basis they rely on for doing so
- what the data will be used for
- how it will be stored
- who will have access to it
- how long it will be kept
This information must be set out in a Privacy Notice for all employees, together with your independent contractors, job applicants, any consultants and possibly ex-employees. We would advise employers to carry out an audit process now, to properly understand and collate the information needed to be communicated in the Privacy Notice(s).
3. Legitimate interests’ assessment
Where an employer seeks to rely on its legitimate interests as a lawful basis for processing of employee data, it will first need to carry out a legitimate interest’s assessment to ensure that it has balanced the legitimate interests with the privacy rights and freedom of the employee and that it is proportionate in the circumstances. Employers should be completing such assessments now, including details in their privacy notices, to be ready for May.
4. Updating policies and procedures
The GDPR changes need to be reflected in an organisation’s policies and procedures, and should be updated in readiness for May, most notably:
- Data Protection policy
- IT security policies
- Disciplinary and grievance procedures
- Data retention policies
5. Data cleaning
Given that one of the principles under the GDPR is data minimisation, now is a good time for employers to undertake a data cleansing exercise, deleting data which is no longer necessary to keep, such as duplicate copy disciplinary notes or old CVs kept in manager’s drawers ‘just in case’. Also remember, you don’t have to provide personal data, that you don’t have any more! Employers should introduce measures to ensure that employees’ details are kept up-to-date and accurate.
6. Review recruitment processes
Employers who carry out background or Garda checks as part of their recruitment process will need to review such procedures as such checks may not be permissible under GDPR, with the possible exception of specific regulated activities.
7. Get ready for DPIAs
Under GDPR, prior to any organisations introducing new systems or processes, which are likely to be a high risk to the privacy rights of individuals, a Data Protection Impact Assessment (DPIA) will need to be carried out.. Some examples of this would be looking to introduce a new vehicle tracking system, random drug testing, or CCTV surveillance. Employers should therefore make sure that they have appropriate forms /guidance notes in place to support such assessments as they will be required to prove they have done so in the event of an inspection.
8. Third party providers
If an organisation outsources functions to any third-party provider, such as wages or pensions ,it will be important to review the contractual arrangements in place with those providers. Under GDPR there are clauses which must be included in the contracts and certain provisions, such as indemnities and warranties to cover a data breach by the third party, which would be advisable to be laid out in the contract.
9. Data subject access
Data subject rights under GDPR are greatly enhanced, most notably in relation to data subject access requests. Employers should therefore expect to get a larger volume of requests and be prepared, ensuring their systems, policies and procedures are updated accordingly. We would advise employers to have a specific data subject access policy to help employees understand what data subject access requests are and how they will be dealt with by the organisation
Reviewing current security measures will be vital, looking at who currently has access to employee data, particularly health information, which is classed as special categories of data under GDPR. Organisations should ask whether access to this information should be limited (we would advise that it is), what information should be safely locked away and what practices should be in place to encrypt and/or password protect information.
GDPR will require every person within an organisation to understand and comply with data protection obligations. It is therefore essential that employers put in place appropriate training programmes for managers and staff, which should be completed prior to GDPR roll-out in May.
12. Record keeping
Finally, under the GDPR there is a new accountability principle, which means that organisations must be able to demonstrate compliance with the new regime. Organisations will therefore need to ensure that they have appropriate record keeping processes in place.
C. B. Robinson’s GDPR DRIVE
To help you and ensure that you will be compliant and ready for the GDPR roll-out, we can carry out a detailed audit for you, identifying your specific needs and producing a report, working with you in order to agree a tailored service to address any key non-compliance issues, in order that you are ready for 25 May 2018. It will enable you to optimise your data collection, trumpet your data caring credentials and to make the most of the data to derive business benefits from these essential new regulations.
We are planning a series of breakfast briefing for organisations on GDPR, please contact us to register your interest or for more information.
This new regulation, the General Data Protection Regulation (GDPR), which came into force on 25th May 2018, acts to strengthen the core values of the 1995 Data Protection Directive with additional principles and rights. The two overarching principles of...
Any Data Controller that is subject to GDPR, will need to have in place an appropriate Data Processing Agreement with any third party that it shares data with, where that third party is a processor, as defined under GDPR. GDPR applies to both Controllers...