Recommendations for employers on staying compliant
GDPR tightens the rules around a SAR but you can still make sure you stay on the right side of the law.
You should have a procedure in place for complying with the reduced timescale. You should also create a policy for identifying a SAR and how it is dealt with. Include this in your terms and conditions or employee handbook so it is clear what procedure should be followed from the outset.
If you appoint a member of staff to manage your data protection and any SAR, you need to make sure you have a back-up in place in case they are away from the office – remember you will only have a month to respond.
Appoint a data protection officer
Under GDPR you must appoint a data protection officer (DPO) if:
- You’re a public body
- Carry out large-scale or systematic monitoring of individuals
- Carry out large scale monitoring of specific categories or data relating to criminal convictions and offences.
However, any organisation can appoint a DPO whether or not they are obliged to and it is encouraged as good practice to have someone assigned to the role. It can be an existing employee, provided their DPO role doesn’t conflict with existing duties or you can appoint someone into a standalone role depending on the size of your organisation.
If you do appoint someone, however, even if you don’t need to, you will then be obliged to comply with the legal requirements of GDPR.
If you decide to appoint an officer, they must:
- Be located in the EU
- Have expert knowledge of data protection law and be able to carry out the tasks as set out in GDPR
- Have experience commensurate with the sensitivity, complexity and amount of data they process.
- They must be sufficiently senior in your organisation but also be able to carry out their duties independently and not be directed by senior management.
- Your organisation remains responsible for data protection not the DPO.
Complete a data audit
It’s good practice to review regularly what information you hold on your employees and what data you work with in general.
- Establish what you have – List all the different types of data assets you have such as CRM software or HR software. Include both computer and paper files you keep on your employees.
- Make sure you know where it all is – Once you have worked out exactly what you have you need to make sure you know where it all is and how it is accessed. If you’re using HR software for example, who has access to this, how is data inputted and could there be any data that isn’t yet stored on it such as on another employee’s email when they’re looking for potential recruits?
- Talk to your team - To find out exactly where and how your data is processed and stored you’ll need to speak to the key players in your organisation. Obviously, the fewer people there are the easier this will be.
- Track - Track how the data is being used – is there data you are storing unnecessarily? Is there data that needs to be deleted?
Review how data is collected and used
It is important to keep track of how your data is collected and used – do you have a paper-based system organised in a filing cabinet for your employee personnel files? Are you using manual employee electronic records such as word documents or spreadsheets or have you moved to HR software which often allow employee self-service? Do you store this data on a local internal system or do you rely on cloud-base services?
Make sure the data you collect is relevant to your business. For example, storing records about employees’ work history is a legitimate use of data but storing information about what they like to eat and their favourite colour could be classed as unnecessary unless you can prove it is relevant to your business.
Also, make sure you know what processes are being used, how the data is handled, that it is handled securely and review your policies regularly.
Take steps to prepare for GDPR
If you’ve already been compliant with data protection, then it should be straightforward make sure you’re compliant with GDPR.
- Carry out a data audit. Assess your current HR data and identify any gaps with the GDPR.
- Make sure you have a procedure in place for asking for employee consent to collect data. Asking once used to be enough to continue to collect data but now you’ll need to get their permission each time you use or collect data for different things.
- Under GDPR, individuals will also be able to withdraw their consent and have the right to have their data erased. Where consent is relied upon for collecting data you may need to look at using other legal grounds instead to continue to process employee personal data.
- Revise your employee data protection policy and make sure you have an up to date privacy notice which details what information is collected, why, how it is stored and for how long.
- Consider appointing a data protection officer or giving someone within your organisation the responsibility for data protection. Task them with advising on GDPR, monitoring compliance and liaising with the data protection authorities.
- Determine a data breach policy to ensure prompt notification if a breach does occur. Consider training employees to recognise breaches and have a plan in place for what they should do if it happens.