GDPR – One Year On
It has been almost a year since we were all overloaded with the surge of information surrounding the General Data Protection Regulations (GDPR), together with the hundreds of emails requesting us to opt in and consent to our data being processed by various different organisations.
But one year on, is your business compliant with GDPR?
Do your employment contracts, handbooks and privacy policies accurately reflect how you are handling and processing employees’ data?
Do your privacy policies set out in clear terms why data is being taken and who it will be shared with?
Would you be able to comply with a subject access request by a current or former employee within the specified time frame of 30 days?
Are you regularly carrying out data audits, checking what data is held and where it is stored?
Amidst the plethora of articles that were published last year, ACAS provided helpful guidance for employers which clearly summarised the six principles in relation to data processing, which it is useful to recap here:
- All personal data must be processed fairly and in a clear and transparent manner
- Any data that is processed, must only be done so for a specified and lawful purpose
- The data that is stored should not be excessive
- The data should be kept up to date
- Data that is kept should not be kept for longer than is necessary
- All data should be kept secure
The Information Commissioner’s Office (ICO) also published materials to assist businesses understand their obligations under GDPR.
While some businesses tried to be fully compliant by 25 May 2018, others took the view that so long as they were taking appropriate steps to comply that was enough. We haven’t yet seen a huge influx of enforcement actions taken by the ICO in the past year concerning breaches of the GDPR because the ICO recognised that it takes time to be fully compliant.
While the ICO took a light touch approach to taking enforcement action in the past 12 months under GDPR, it did take action and fined a number of organisations such as Facebook, Uber; and The Royal British Legion under the now largely superceded Data Protection Act 1998.
However, watch this space. 12 months on the GDPR honeymoon is likely to be over so get compliant, if you are not already. All it takes is one rogue employee to do something with personal or sensitive data and the ICO could be investigating your business and issuing a fine.
It isn’t too late to review your policies and to make relevant internal changes to ensure that you are up to date and fully compliant with GDPR. Given the huge increase in the potential fines for businesses if a data breach is found, it is crucial to seek legal advice to make sure all policies and contracts are clear about what personal data is being taken and why such data is being collected. You should also seek advice to ensure that internal processes are adequate; that you are aware of your obligations as an employer; and that you are well equipped to deal with any data subject access requests, should an employee make one.
If you would like to discuss GDPR and data protection in an employment context, please contact me on 020 7288 4754 or email firstname.lastname@example.org. Alternatively please contact a member of our Employment Team.