GDPR affects personal data wherever it is held and whatever employers may or may not do with it. The Information Commissioner’s Office (ICO) can demand to see a record of your data processing at any time. Here we suggest the steps employers need to take:
- Identify the personal data that you hold
- Catalogue where the data is held
- Decide and record who has access to the data
- Determine how long to retain records
- Review your employee policies
- Implement appropriate staff training.
Identify the personal data that you hold
This could be any data you hold that can be related to an identifiable individual, the person does not need to be named. In many cases job titles alone will identify an individual. However it does not follow that every time a person’s name is mentioned, written or otherwise recorded that it is necessarily personal data. To better understand the concept it is useful to follow the ICO’s guide here.
Catalogue where the data is held
Unless you hold a catalogue of data it is going to be difficult to demonstrate compliance with the regulations. This data may be on paper files or increasingly on company computers, servers or on a Cloud. Typically it will be in many places but it should not be difficult. Draft a catalogue, review, re-draft, review until confident of due diligence in this regard.
Decide and record who has access to the data
Access to personal data on paper needs to be restricted to those who need the information for legitimate purposes. Locked offices, locked filing cabinets will generally suffice but commensurate with this a “clean desk” policy would be valuable.
Access to computer data means the need for “permissions”. There should be routines and processes in place to determine who has access, and for removing that access if and when appropriate. There should be an easily accessible routine for verifying permissions. This will provide a live record but the record should be kept.
If you rely on an external IT supplier you need to check (and record) that these processes are in place. Better still, also ask your supplier to demonstrate periodically who has access to what and keep a record. Remember too that your supplier has access, is that covered in your contract?
Determine how long to retain records
This is a question we are asked many times – we can provide guidance on this.
Review your employee policies
Appropriate employee policies will go a long way to protect you from ICO sanctions. You need to consider policies for:
- Data Protection
- Internet and email
- Social networking
Other policies, if you have them, may merit review:
- Disciplinary procedures
- Harassment and bullying
- Substance use and abuse
- Whistleblowing (Public interest disclosure)
Employer Solutions can provide the policies you need.
Implement appropriate staff training
Those who need access to the information need to be trained in the implications of GDPR, the processing, security and use of the data.
Almost all data security breaches are “employee-error”, often just carelessness. Having policies is one thing, following them is another.
Your staff need to understand the importance of data protection and security, to have the opportunity to challenge what they may see as “nonsense” and to be able to contribute in a positive way to the culture change that GDPR aims to bring about.
Employer Solutions can provide the training you need.
Malcolm Martin FCIPD
Author Human Resource Practice.