12 months since GDPR

As we reflect on the first anniversary of the effective date of the European General Data Protection Regulation (GDPR), we set out four key steps that employers should take to ensure GDPR compliance:

1. Audit and analyse your data

Employers should work out what data they process and focus on the more unusual data, and then consider the legal basis for which they process that data.

2. Update documentation

The updating of documentation was one of the main focus areas for employers in the run up to GDPR:

  • Employers are required to put in place specific privacy notices for employees to tell them what the business is doing with their data.
  • Employers will need to update their contracts for new employees. Some employers that process a large amount of personal data might want to consider adding data protection obligations into their contracts.
  • Employers that process “special” categories of personal data (i.e., health, race or religion) will need to have a policy document in place to explain what data they process of this nature, how they intend to comply with GDPR, and how long they will keep this data.

3. Assess and address risks

GDPR is an ongoing obligation and not a one-time exercise.  Employers can work on assessing ongoing risks by considering the following steps:

  • Employers should conduct privacy impact risk assessments before doing anything high risk or unusual. Employers should be focused on anything they do that is out of the ordinary, for example where there is CCTV in the workplace.
  • The appropriateness of criminal records checks are less clear cut under GDPR than under the old law, but if employers process employee criminal records, they should think about the reason for conducting the checks and the risks involved in doing so.
  • Data security is another key focus under GDPR. While this isn’t something new, there has been a renewed focus on security under GDPR because of the higher fines associated with violations.
  • Employers should spend time thinking about data breaches and how they would deal with them if (or when) breaches occur.

4. Demonstrate compliance

Employers should document what has been done to help ensure ongoing compliance, for example:

  • Some organisations will need to appoint a Data Protection Officer, to act as the businesses’ figurehead for GDPR compliance both internally and externally.
  • Employers will need to pay a fee to the Information Commissioner’s Office depending on the organisation’s size and turnover.
  • International businesses will need to put some thought into cross-border issues, for example, how they transfer data in and out of the EU and documenting those flows.
  • Businesses will need to maintain a record of all of their processing activities.

For advice about any of the issues raised in this article or other issues relating to employment law, please contact our employment law specialist Anna Illingworth via email at anna.illingworth@rowberrymorris.co.uk or call 0118 958 5611.