Opinion

Are you actually GDPR compliant?

29th July 2019

Are you actually GDPR compliant?

Whilst many organisations have published Privacy Standards and Data Protection Policies for clients and third parties on use of personal data, they often neglect to implement or update similar policies covering employees or workers (‘staff’).

An organisation is likely to use, transfer and disclose personal data about its staff through the contract of employment, payroll, disclosures to HMRC, recording of holiday and sickness absence, payment of benefits, and in many other areas.

An employer is more likely to use special categories of data (race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, or sexual orientation) concerning its staff, than it is when dealing with customers. For example, information about health is likely to be processed when managing a sickness absence.

In all instances of data processing, compliance with GDPR must be evidenced. Such data processing is likely to last for the entire duration of the employment relationship, and after termination of employment too.

We take a look at the common mistakes in GDPR compliance from a HR perspective and how they can be avoided.

  • Having an out of date policy and employment contract.

A policy compliant with the Data Protection Act 1998, but not with the Data Protection Act 2018 and GDPR may lead to liability for the employer and complaints to the Information Commissioner.

Organisations are obliged to inform staff of all of their new rights in relation to their personal data, and how to exercise those rights. Old policies may not cover the extended new rights that individual data subjects now enjoy.

Equally, contractual clauses giving blanket consent to process personal data will not be compliant with the new GDPR regime, which requires consent to be explicit and freely given, not hidden away in lengthy contractual terms.

If your documents do not contain all the relevant prescribed information, your organisation is vulnerable to enforcement action from the Information Commissioner and potential fines.

  • Failure to publicise a compliant policy

Having a compliant policy is of little use if it is not widely publicised, and staff do not understand their own rights, or their own duties and obligations to assist the organisation to protect the data of its own clients and customers.

Training at induction stage can assist the employer in evidencing staff understanding of their own data protection rights. Focussed training for staff who work in areas of your organisation that manage personal data on behalf of others (such as client-facing departments, HR and Health and Safety) can ensure staff understand how to assist the organisation to achieve GDPR compliance. 

  • Failure to be Transparent 

It is a key principle of the new regime that employers are transparent with staff about their processing activities. If your policies and documentation do not give examples of the type of personal data or special categories of personal data that you hold, you are unlikely to be compliant with the transparency principle. 

Common areas where employees may not understand how, why and how long their personal data is being processed by the employer organisation (and third parties) include:

  • through a recruitment process;
  • management of pension scheme of other external benefits;
  • premises access logs;
  • biometric and location data through use of company devices;
  • premises or vehicle CCTV and location data;
  • DBS checks;
  • social media posts, usage and content;
  • after employment ends, for example giving references or making statutory disclosures to the Job Centre.

Organisations can evidence transparency by recording and publicising their justifications about why they need to gather, use or disclose particular personal data. If you cannot find a justification for processing the personal data, then you are unlikely to need it and continued retention and use of that personal data is likely to be unlawful.

Justifications should be reviewed regularly, to ensure that they still apply and to record any changes of purpose. 

  • Failure to evidence Accountability

Accountability is another important principle of the GDPR, and is a requirement to evidence compliance with the regulations. This can be done through introduction and implementation of compliant policies and procedures, as well as effective internal compliance measures and external controls.

For example, this could include reviewing and introducing new software which affords greater security controls, and assists in securely deleting data when the purpose for using it has finished. 

  • Failure to conduct Data Protection Impact Assessments

A Data Protection Impact Assessment is a similar concept to a health and safety risk assessment. The organisation is required to weigh up the rights of their staff to privacy, against their own reasons and justifications for particular data processing activities.

An organisation would usually complete a Data Protection Impact Assessment, where the processing is likely to result in a high risk to the rights and freedoms of data subjects. This can include introduction of new processing (such as introducing CCTV cameras) or a change to existing data processing (e.g. the introduction of new HR software).

Failure to document consideration of data subject rights, will cause difficulties in the event the employer needs to evidence compliance and a culture of privacy by design, to the Information Commissioner. 

  • Failure to implement appropriate and adequate security measures

GDPR requires organisations to take steps to ensure the security of the personal data they use. This obligation also covers ensuring the security of personal data when disclosed to third parties.

Failure to take security measures to restrict access to data, encrypt data, securely store and delete data, will increase the changes of an organisation experiencing a data security breach.

If you need assistance with GDPR compliance for your staff, please contact Katherine Cooke.

 

 

Other news

Contact us

3 Waterfront Business Park
Brierley Hill
West Midlands, DY5 1LX

Email: law@higgsandsons.co.uk
Call Us: 0345 111 5050

Follow @HiggsandSons on Twitter  Join Higgs & Sons on Facebook  Join Higgs & Sons on LinkedIn

Newsletter

Keep up to date with all the latest here.