Things to do to prepare for GDPRPosted in : Seamus Says - Employment Law Discussion on 18 October 2017
Q. The GDPR is a big threat, with €20 million fines being the headline scare, how might we best prepare for it? If we could do just three things before the 25th of May 2018, which is when it kicks in, what would you recommend?
Seamus: I know this is a hot topic in relation to GDPR. I think people are feeling a bit of panic in terms of it coming and it's so close to coming. The 25th of May is not that far away. The purpose of it is to strengthen and unify data protection for individuals within the EU, but it is also going to impact us in the UK. There's no get out clause for us, unfortunately. That's the way that it's going to be.
In terms of three things, it's hard to limit it to three things.
Scott: I'm going to limit you to three. No, four, you can do four.
Seamus: You're going to hold me to that.
Scott: No more than that.
Seamus: In our office here, what we did, this was a good idea, we had seminars during the summer months. People are off during the summer. We had a number of seminars. We really looked at our internal awareness, if I call it that. That was about educating our staff, our support staff and our professional staff in terms of general data protection and also what would happen with GDPR further down the lien. It's just about bringing it to their attention and I think making sure that the people are aware. So, it's the silly things that people might do, have a file of papers with their client details on it and if they leave it at a restaurant because they've been out for lunch straight after their appointment . . .
Scott: That's not really any different than the existing . . .
Seamus: No different.
Scott: The difference is you can get fined €20 million.
Seamus: That's the big difference.
Scott: Instead of half a million quid.
Seamus: To be clear about that, the position is it could be more than that - it's up to four percent of your worldwide turnover. So, for local businesses within Northern Ireland.
Scott: Pretty successful firm you've got here.
Seamus: Absolutely. Bringing up the internal awareness is the important point. The second thing would be to look at the documentation you're holding, personal data. It is about having some sort of system in place because, under the new regulations, there will be a system whereby you have to be clear about the documentation that you're holding, why you're holding it and where you got it from, things like that. It might be looking at gone are the days of having the personnel file in the corner and saying if anybody wants to know, I'll go and check through it. It's about keeping your data up to date.
Scott: It's about auditing that but again, it's all personal data, isn't it? You're not talking about financial data in relation to a firm. It's individual personal data.
Seamus: It's typical things like looking at the subject access request, but it's about being on top of it and auditing, making sure you're shredding and getting rid of any data that you don't need any longer and making sure that you're adhering to that process.
Scott: Raising awareness with staff about the difficulties, auditing and recording your documentation. What's your third?
Seamus: The third one and this is a general one again, do your data protection impact assessment. One of the ideas that the other people have done is they've sent a dummy email around the office and see who exactly has been on top of it and opened up and caused difficulties in terms of breaches of data or brought in some DNS virus in the end of their system, whereby their data is going to be taken and disseminated somewhere else. So, ideas like that, looking at your impact assessment and trying to prepare and get your staff ready for how this is going to work . . . and just as a fourth one, just to flag your data protection officer.
In general, it's a good idea to have a Data Protection Officer, a formally appointed one. We have a formally appointed one as of last year. Just making somebody much more aware of what the position is and somebody within the office that everybody can go to, to get information of if they have issues or queries or things they need to discuss, that they can go and identify that. The position at the minute is limited to the public authority, but also includes organisations that carry out the largest scale possession of specific types of documentation like health records and data and things like that. I think as a general principle, get a Data Protection Officer in place.
Scott: Somebody in place that knows a fair bit about what we're talking about or at least test where the weak spots are.
Seamus: Exactly.This article is correct at 18/10/2017
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.