Getting in Touch with Your GDPR.

In our last bulletin, we started to have a look at what the General Data Protection Regulation (“GDPR”) will mean for employers when it comes into force on 25 May 2018. In this bulletin we take a more detailed look at audits and consent.

Your preparation for the GDPR should start with an audit of all data held, who deals with it, with whom they share it, what is the justification for doing so and how long it will be held. This will be a cross-departmental project, involving not just HR, but also IT, marketing, compliance and all other parts of your organisation which process personal data.

Once the information has been collated and gathered, it will then need to be cross-checked and analysed before being set out in a comprehensive report setting out an action plan. As is always the case, the information coming out of an exercise is only as good as the information that was put in. Therefore, all relevant stakeholders across the business need a clear understanding of the project, the meaning of personal data (including automated data and images), the processes and procedures currently in place (including the operation of software packages) and the all-important reasons why data is being processed.

It’s always worth reminding people about the potential fines for non-compliance once the GDPR is in force – up to €20 million or 4% of global annual turnover (whichever is higher) in the event of default (not to mention damage to your corporate reputation).

If you engage with third party contractors (such as outsourced payroll providers, recruitment agencies, IT helpdesks or public relations agencies), you will need to consult with these organisations too, asking all the same questions to ensure you have a clear understanding or what happens to personal data in their hands.

As mentioned in our last article, it will become much harder to use consent as the basis for processing employees’ personal data as you wouldn’t want an employee to be able to withdraw consent where it would adversely affect the normal operation of your business. Where you have personnel management, marketing, organisational or regulatory reasons, it may not be necessary to rely on an employee’s consent to process their data and you would be better to rely upon one of the other legal bases. These are likely to be where it is necessary for the performance of the employment contract (eg auto-enrolment compliance) or pursuit of legitimate interests (eg contact details on your website).

However, consent may still be required where there is no legitimate reason for processing such data without employee consent. Examples might be including someone’s qualifications or favourite pastimes on their website biography. In these cases, you will have to obtain very specific consent for your particular activity.

Insights.

Advice for house hunters #SolicitorChat with The Law Society
14th January, 2021

Purchasing a property is likely to be one of the biggest transactions you will make in your life and the process can be complicated. Thomas Healy answered a few questions…

To injunct or not to injunct?
14th January, 2021

The possibility of an immediate costs order on an interlocutory injunction application to enforce restrictive covenants against a former employee, has for some time been a material factor.

Making a Will in 2021 #SolicitorChat with The Law Society
7th January, 2021

2020 produced many unexpected events and Michael Brierley discussed how you can help protect yourself from the unexpected by making a Will with The Law Society and other firms for…

A note from Neale Andrews
5th January, 2021

In line with the latest Government guidance and to ensure the safety of our clients and staff, we are for the greater part operating the firm remotely. However, we have…