We conducted a poll in May to see how many employers were preparing for the General Data Protection Regulation (GDPR) coming into force next May. Two fifths (41%) said that ‘we were aware of the law but were not taking any action’; 12% were not aware of it. It is now only six months before the GDPR becomes law and it is already too late for those employers that have not yet started their compliance efforts. With fines of up to €20 million or 4% of annual worldwide turnover, whichever is greatest, at stake, this requires immediate board level attention and stakeholder buy-in.
So what are the keys steps that reward professionals can take now to get up to speed?
Firstly, they need to work with other departments in the business to understand the new obligations and how they will impact the whole organisation. Organisations need departments such as HR, Legal, IT and Compliance to take a combined approach to the project. From an HR perspective, the following steps should be taken now:
Data auditing and mapping: employers should document all staff personal data being processed, why they process that data and where it is transferred. This will help employers understand exactly what personal data they are processing and what they are doing with it to assist with their compliance obligations.
Lawful basis for processing: using employee consent to justify an employer’s processing of their personal data is much harder under the GDPR and even discouraged by the UK’s data protection authority. Employers should assess the legal basis for processing employee personal data and document which condition(s) for processing they are relying on.
Privacy notices: the GDPR requires more detailed information to be provided to job applicants and employees to explain what the employer will be doing with their personal data. Employers should review and amend their current data protection policies to ensure they contain the mandatory information.
Third party processors: the GDPR places certain obligations directly on third party data processors – those processing personal data on the employer’s behalf e.g. outsourced payroll and benefits providers – for the first time and requires data processing agreements to contain more prescribed terms. Employers need to review the contracts with their service providers. If they do not contain the mandatory terms, they should renegotiate them.
Sarah Thompson is an employment lawyer with international law firm, McGuireWoods