Employers are being reminded to take stock of their data protection policies in the lead up to the General Data Protection Regulation (GDPR) coming into effect.
GDPR, which will take effect on 25 May, will give people greater control over how their personal data is used and provide them with the “right to be forgotten”.
Under the current Data Protection Act (DPA) 1998, the most commonly used basis for processing employee data, is via consent obtained in an employment contract. In most cases, this will not be an effective route for employers going forwards after the GDPR comes in. Employers therefore should look at the personal data they have stored and identify one of the other legal bases to justify its purpose. If there is no obvious reason to store it, they should consider removing it.
Another key change under the GDPR is the amount of information and detail which must be supplied to employees when processing their personal data. Employees should be informed about risks of poor data security and companies holding on to data that is no longer relevant. Mandatory training sessions to ensure they are properly educated on the facts could be necessary.
CEO at technology firm CoreHR Dean Forbes said businesses shouldn't view the regulation as a burden; rather they should consider it an opportunity to review their current policies around collecting and storing data.
“The next few months are all about ensuring employee data is fully safeguarded, that you're fulfilling your legal duty to your employees and the impending legislative requirements,” said Mr Forbes.
Paper logbooks used to monitor visitors to business premises should also be handled with care, says GDPR consultant at the PrivacyTrust, Karen Cheeseman.
She said: “A lot if this depends on what the organisation does with the data. Is it simply a way of knowing who is in the building at a given time or is the organisation storing and using that information to use for another purpose, such as marketing or profiling?
“If it is simply for knowing who is in the building at a given time, then the main points to make are data privacy.”
Software firm Senzing conducted a study in which it found that almost half (44%) of companies are concerned about their ability to be compliant after the GDPR deadline.
Although it is an EU regulation, Brexit is unlikely to influence whether the UK continues to adopt GDPR. The regulation applies to all organisations collecting and storing data relating to anyone who resides in the EU.
If an organisation is found to be in breach of GDPR after the deadline, it could face a fine of 4% of its annual turnover, or £20m (£17.8m), whichever is greater.