We’ve caught up with Lucy Thomas, HR Director here at Curtis Fitch, to find out more about the new GDPR legislation and exactly what we’re doing here to ensure that we’re ready when it comes into play.
What is GDPR?
I was tasked back in October with managing the project of ensuring that Curtis Fitch is fully prepared with the necessary policies and procedures in place to comply with the new General Data Protection Regulations (GDPR) that will come into effect on 25th May 2018.
As you may or may not be aware, the GDPR is a piece of legislation that will comprehensively reform the current data protection regulations that apply in the EU.
Businesses of all shapes and sizes will be affected as it concerns the storage and usage of information relating to a named individual, whether they be customers, suppliers, employees or business contacts. As a result, businesses will need to review how they collect, hold and process this personal data, as well as how they communicate with individuals about this.
Much has been written about the GDPR and, initially, it seemed quite a daunting task to tackle. However, after attending a number of HR legal updates and a BSI introductory course on GDPR in November, I have a solid understanding of the various steps and measures we need to implement before May to ensure that we’re prepared.
The fact that Curtis Fitch already holds ISO27001 accreditation and was already compliant with the existing Data Protection Act was of course a good starting point. However, there are some significant differences that will come into play with the GDPR that I wanted to share with you.
So, what will change under the GDPR?
One of the biggest changes we’ll see under GDPR is the increase in sanctions for breaches of the GDPR, with any breaches now potentially leading to fines of up to 4% of global annual turnover. The conditions for obtaining valid consent are also changing, as well as greater transparency obligations. Companies must now provide more information on what data they hold and what they do with said data, whether it be employee, customer or business contact information.
Another big change focuses on accountability, with businesses now required to demonstrate their compliance and maintaining records to deal effectively with an individual’s increased rights to access the personal data held on file about them.
To give you a greater insight, below is an overview of the various actions that I have been considering for Curtis Fitch and will be implementing over the coming months.
What action do employers need to take?
1) Conduct an information audit
Companies should carry out an information audit to map data-flow, enabling you to identify the data that you process and demonstrate how it flows through your business.
2) Create a Personal Data Register or Information Asset Register
Following the audit, you should detail what personal data you hold, where it comes from, who you share it with and what you do with that information. You should include categories of individual and personal data, and also include details of any retention schedules.
As one of the key aspects of the new regulations is to do with accountability, keeping this register demonstrates this compliance, giving you solid, documented evidence of compliance should you ever be audited by the ICO.
3) Review consent and lawful bases for processing personal data
Consent for processing data has to be clear and freely given, with businesses required to demonstrate that individuals were informed of the purpose and use of their personal data. In addition, where consent is required, then a record of it should be kept.
Organisations can of course process personal information lawfully for a number of reasons, such as performing an employment contract or complying with legal obligations. However, you need to be able to demonstrate the reason for doing so and should keep a record of this.
4) Review privacy notices
Individuals need to know that their data is being collected, why it is being processed and who it is being shared with. As such, privacy notices, including those in employment contracts and on websites, must be updated. They should be transparent, concise and written in clear, simple language; not hidden or difficult or displayed as a pre-checked opt-in box.
5) Review data processor contracts
Many businesses use a third party for data processing purposes, from outsourced payroll services to storage solutions. This is all classified as data processing and, under the new GDPR, businesses must have a written contract with any data processors they use.
Under the new legislation, you are liable for your processors’ compliance with the GDPR and, as such, a contract is important so that both parties understand their responsibilities and liabilities. Again, to ensure compliance, it’s important that these contracts are stored and updated; an important area where contract management software like CF Contracts can help.
6) Review data subject access requests
Under the GDPR, individuals will no longer be charged £10 for a subject access request and companies must respond within one month. It’s useful for employers to ensure that they have adequate processes and procedures in place to deal with such requests going forward.
7) Data breaches
This is another area where there is a significant difference between the old DPA legislation and the new GDPR. After May, organisations must have the correct procedures in place to detect, report and investigate a personal data breach and will be required to report data breaches to the ICO in the vast majority of cases. This is certainly not the case at the moment, where serious data breaches have occurred and are only reported several years later. Going forward, this simply won’t be acceptable.
So – there you have it – how we at Curtis Fitch are ensuring GDPR compliance and how your business can take the correct steps towards ensuring you’re fully up to date with the new requirements come May 2018.
If you’d like more information about GDPR legislation and what it means for your business, or if you’d like to find out how Curtis Fitch e-procurement software and contract management tools can help you, drop us a line here.