Are You Prepared for GDPR?
The General Data Protection Regulation (GDPR), coming into force on 25th May 2018, is new legislation being introduced to strengthen and unify data protection for European Union residents.
The reform will impact all businesses working with individuals residing within the European Union.
It is imperative that companies begin investigating how GDPR will affect their business prior to the enforcement date 25th May 2018, as many of the legislative changes will have complex implications that will need to be addressed in order to ensure compliancy.
We spoke to Bex Sinclair, Head of HR Consultancy, at Employment Law specialists Clarke Willmott, on the implications of the introduction of GDPR. Bex comments “These changes in Data Protection legislation are much needed given the fast changing world of digital data. The new GDPR changes are important and do require action from all businesses large and small. Employment contracts and staff handbooks will certainly need to be updated and it is important that companies have a procedure for staff to follow in cases of a data breach e.g. if they send the wrong information to the wrong client – what should they do? Mistakes will be costly in terms of fines so it is important to take the time to review what you have and be prepared. We can certainly help with this in terms of training your team on the new changes and making sure you have the right documents in place.”
In order to ensure that their customers are at the forefront of this legislative requirement, Clarke Willmott have developed a useful information sheet concerning GDPR for Employment Contracts, and a GDPR factsheet. For a copy of these documents, please contact our marketing department on email@example.com.
At Moon Consulting, our Office Administrator, Abbie Richards, has been appointed as our Data Protection Officer, and is currently investigating how GDPR will affect our business.
We asked Abbie to summarise the most crucial factors to account for when considering GDPR;
1. Firstly, consider appointing a Data Protection Officer, who can monitor compliance both before, and after, implementation of GDPR
2. Be clear on what constitutes as personal data
3. Review all of the documentation and information you hold, ensuring it is accurate and up to date
4. Ensure all of your documentation is GDPR compliant - check that everyone has the option to ‘opt in’…not opt out! Perhaps add a tick box on all relevant correspondence, so that clients/candidates have the option of being contacted again in the future, or add a line to the footer of all emails which again gives the option of opting in to future correspondence
5. Check your database and records, ensuring that everyone on your system has been contacted within X number of months/years with regards to whether they are happy for us to hold their details on file (n.b. the exact timescale is still to be confirmed by The Information Commissioner’s Office (ICO))
6. Note that any requests received from an individual to access the information we hold on file for them, must be actioned within one month. That means that all information must be collected and presented within that time frame. Also, no charge can now be made to the individual for presenting them with this information, so such requests may increase after the GDPR implementation. It might be an idea to draw up a standard letter for subject access requests in preparation
7. Communicate data breach protocols to all members of staff, so that everyone is aware of what happens should a data breach take place. It is everyone’s responsibility to be compliant, and failing to comply with GDPR could result in fines for employees, not just the company itself
8. Review employee handbooks, contracts and data protection policies to ensure they are compliant