Many of the requirements will remain much the same as current Data Protection Act (DPA) law and if companies are compliant that will go some way, but not all, to meeting the new regulations. However, there are also significant new requirements. The changes also significantly increase the fines for breach of the data protection principles.
The GDPR will have implications for all aspects of their Operations, Finance, IT, HR, Communications, etc. They could also impact on how they deal with customers and external organisations. It is essential that organisations put in place the process for compliance. The Information Commissioner’s Office has published a very handy booklet and Checklist for complying which identify 12 steps to take now.
This covers Awareness, Information Held, Communicating Privacy Information, Individuals’Rights, Subject Access Request, Legal Basis for Processing Personal data, Data Breaches, Data Protection Impact Assessments, Data Protection Officers, and International Implications. See https://dpreformdotorgdotuk.files.wordpress.com/2016/03/preparing-for-the-gdpr-12steps.pdf
The Key Steps are:
1. Ensure key people and decision-makers in the organisation are aware the law is changing and allocate the resources needed to deal.
2. Conduct an information audit and data map across the organisation or in relevant business areas: what is held, by whom and for what purpose, etc.
3. Put in place a plan for implementing any action needed and communication of how information will be held and processed.
4. Ensure procedures, individual rights and consents are maintained in relation to personal data, including right to delete.
5. Revise, as needed, procedures for dealing with Subject Access Requests.
6. Ensure processing meets legal GDPR requirements and is communicated in writing in a Privacy Notice(s).
7. Review and revise how organisations seek, record and manage consents.
8. If applicable, put in place system to manage and obtain consents for children’s’ information.
9. Put in place procedures to detect, investigate and manage data breaches (and notify ICO where applies).
10. Ensure a ‘Privacy by Design’ approach and policy and conduct Data Protection Impact Assessments where data processing is likely to result in high risk to individuals.
11. Appoint a Data Protection Officer (mandatory is some circumstances) or a designated person to take responsibility for compliance. This role should have sufficient influence within the organisation to ensure compliance happens.
12. If an organisation operates internationally within the EU, determine the lead data protection supervisory authority and location and how information processing will be managed.
For more information on GDPR and assistance with the HR audit, data mapping and compliance, contact Jim on 01329 519919 or firstname.lastname@example.org
Morgan Gil HR