7 June, 2020

Subscribe Advertise About Us

  • Governance
  • Strategy
  • Risk
  • Ethics

GDPR and staff data: the final countdown

General Data Protection Regulation comes into force in May, with sweeping new requirements for businesses that handle personal data.

data, data protection, GDPR

Image: Rawpixel.com / Shutterstock

Businesses across the EU have just four months to prepare for the implementation of General Data Protection Regulation (GDPR).

The new regulation—which will take immediate effect from 25 May 2018 without any need for domestic law ratification—introduces sweeping new requirements for companies handling personal data.

“Businesses need to understand the data held within the organisation, where that data comes from and where/how it is stored…”

–Sybille Steiner, Irwin Mitchell

Sybille Steiner, partner at law firm Irwin Mitchell, said that organisations need to conduct data audit to identify areas where action needs to be taken to ensure compliance.

“Businesses need to understand the data held within the organisation, where that data comes from and where/how it is stored, what happens to it while it is within the organisation and when and how it is deleted.

“Where any areas of non-compliance are identified, or where activities pose a risk, the business will need to formulate a plan to address them.”

GDPR requires organisations which process data—whether internally or externally—to obtain “specific, informed and freely given” consent from individuals whose data is being processed. This means businesses need to check their consent practices and existing consents and refresh them if they don’t meet the GDPR standard.

Consent requires a positive opt-in; pre-ticked boxes or any other method of default consent will not suffice, and consent requests should be kept separate from other terms and conditions.

Steiner said that it is common for businesses to have general “catch-all” consent clauses within employee contracts or data protection policies.

“These will no longer be valid forms of consent and businesses need to review employment contracts and policies to decide whether consent should be relied upon at all and if yes, in which form.”

Data protection review

Data protection policies need to be reviewed, she said, and should clearly set out:

  • what personal data is and why data protection is important;
  • information about the collection and use of personal data, on what basis and why this is processed;
  • what the data rights of employees are and how the employer will ensure these are upheld;
  • how data breaches are dealt with; and
  • the consequences, for the business and individual, of non-compliance.

“The written policy should also set out when and how specific categories of personal data are deleted,” she added. “It should include the new ‘right to be forgotten’, requiring data processors to delete personal data where the data is no longer necessary for the purpose in relation to which it was collected, consent has been withdrawn or if the data was processed in breach of the GDPR.”

All staff should be trained in handling data, she said, and businesses should have an internal reporting procedure in place to ensure they abide by the GDPR duty on all organisations to report any data breach within 72 hours.

, , ,

Related Stories

  • News

    Culture club: FRC report

    The UK's governance watchdog has produced its much anticipated report on corporate culture making a series of observations based on conversations with board chairmen, chief executives and stakeholders.

Register Free

Register to receive free article views and resource downloads, plus all the latest news alerts straight to your inbox.
Register

BOARD AGENDA
Board Agenda

BOARD AGENDA
Sorry, this report is only available for registered users.

Register free to download designated resources, or subscribe for unlimited access and exclusive content.

REGISTER SUBSCRIBE
This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.