With the emphasis on complying with the requirements of the General Data Protection Regulation now shifting to what needs to happen after the regulation comes into force on 25 May 2018, Kevin Sullivan, concludes his two-part series of articles for employers on how to ensure compliance is maintained.
To view the first article in the series, please click here GDPR: what employers need to do after D-Day (Part I)
Record keeping and central register
Although businesses employing less than 250 people are not obliged to maintain records about all the personal information they hold and how it is collected, stored and used, it is likely that records will be required for the frequent processing of employee data for HR purposes and for the processing of information relating to an employee’s health. Records will also be required for the processing of high risk data, such as details of criminal convictions or other information which could affect an individual’s rights and freedoms.
Irrespective of the extent of your record-keeping obligations, consideration should be given to creating a central register within which certain key information is logged. This will help you to identify any patterns that begin to emerge in terms of potential shortcomings and in the types of requests being made by data subjects, and to plan for any action that needs to be taken specifically in respect of employees and other personnel.
Having a central register will also make it easier for you to spot when a serious problem has arisen, and where this needs to be reported to the Information Commissioner’s Office or affected individuals. It should also help to demonstrate the otherwise robust nature of your data protection compliance checks.
It is for you to decide – in consultation with your data protection officer if you have one – the information that should be captured, but this could include:
- the categories of data held and the purposes for which data is processed;
- the basis on which the right to process data exists, for example express employee consent or lawful purpose on the grounds of legal obligation, contractual requirement or legitimate business interest;
- details of any requests made by employees concerning their data, such as a request for the removal or correction of erroneous data or to have data erased;
- any time limits or restrictions that apply when dealing with a request;
- any steps that need to be taken while a request is considered, for example restricting continued processing where the purpose for which processing is undertaken has been challenged;
- the outcome of a request, together with reasons;
- any withdrawal of consent and the steps taken as a result;
- the date and means by which an employee’s personal data has been erased, including the steps taken to ensure erasure by any third-parties to whom the data has been transferred;
- any breach of the GDPR rules that need to be notified to the Information Commissioner’s Office, and, in the case of breaches which pose a high risk to a person’s rights and freedoms, affected personnel;
- any financial penalties or other sanctions imposed; and
- internal action taken to prevent further breaches and near misses.
Learn from your mistakes
Where a breach or near miss occurs is it important that you consider the reasons for this and take steps to ensure any gaps in your policies and procedures are plugged. Details of what happened should, where appropriate, be circulated to staff and an explanation given of the changes being introduced as a result. It is important to learn from your mistakes, and, where notification to the Information Commissioner’s Office is required, to be able to demonstrate awareness of existing weaknesses and a willingness to address them, particularly as this could help to limit regulatory and financial sanctions.
For advice on data protection from an employer’s perspective, please contact Kevin Sullivan on 01732 770660 or email [email protected].
The contents of this article are for the purposes of general awareness only. They do not purport to constitute legal or professional advice. The law may have changed since this article was published. Readers should not act on the basis of the information included and should take appropriate professional advice upon their own particular circumstances.