25 July 2017
GDPR: The Facts
Social media is flooded with scary articles about GDPR, lots of statistics and conflicting information but very little in terms of cold hard facts. In this article, Julie Lock, Service Development Director at MHR looks at what GDPR is and what organisations should be doing from an HR perspective to meet the regulations. Plus use our free Online Self Assessment Checklist to help assess your current processes.
It’s an EU law we still need to comply
For those organisations who are not planning to become GDPR ready and for those who had started GDPR readiness then stopped when the Brexit results were announced let’s debunk the myth that because we are exiting the EU we do not need to be GDPR compliant because we do.
The Queen referred to GDPR in her speech on 21 June 2017 stating: “To implement the General Data Protection Regulation and the new Directive which applies to law enforcement data processing, meeting our obligations while we remain an EU member state and helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU.”
On 25 May 2018 GDPR will apply to any company based in the EU and/or processing the personal data of EU citizens, leaving very few companies exempt from the obligations of this new regulation.
Questions you and your HR team should be asking
HR manage employee information; therefore personal data. For GDPR readiness you need to assess if all the information held is necessary. What is your legal basis for processing? How is it secured? How long do you keep it for? What happens if an employee wants to exercise their right to be forgotten, what is your plan? How do you inform employees why you need specific information and what you are going to do with it? Can you prove that you have not breached an individual’s information? And more importantly, do you know what personal data you process? Is it sensitive?
If you are not asking yourself these questions yet, now is the time to start.
Do you need a Data Privacy Officer?
Some organisations are required to identify if they need to appoint a Data Privacy Officer. It is worth mentioning that data privacy experts are predicting a Europe-wide shortage of suitably skilled Data Privacy Officers (DPO) by May 2018; so if an organisation does need a DPO and have yet to recruit one, they need to act fast.
Data processing
Organisations must understand what personal data they process, why they process it, how and who processes it and importantly the legal basis used to qualify the processing. They must provide adequate GDPR training to staff, carry out a maturity audit and implement recommendations. They also need to assess if they have:
- Clear, concise and adequate use of privacy notices
- A breach management strategy which meets the new compulsory reporting conditions
- Ability to fulfil data subject rights; including access and management of the withdrawal of consent
- Data processing maps to demonstrate and manage privacy risk
Business readiness
With so many conflicting reports in the media about GDPR, we carried out our own survey. The top two take away facts worth sharing are that 68% of the respondents have not yet received any GDPR awareness training, which is a worry. A further 53% have yet to access and appoint a Data Privacy Officer. Given the predicted shortage of suitable candidates for the role of Data Privacy Officers, the longer organisations leave it to recruit, the harder the challenge will become for HR.
So to summarise, there is a fair amount of work to be done, a maturity audit will help to identify areas of concern and define process changes. We also need to equip our staff on GDPR through adequate training – understanding that the highest percentage of breaches reported are caused by human error. The clock is ticking so you should be acting now.
