5 Key steps in establishing an effective data protection compliance programmePosted in : Supplementary Articles NI on 13 August 2019
On May 25 last year, The General Data Protection Regulations (GDPR) came into effect. A company's failure to comply with relevant data protection legislation could lead to the organisation being exposed to fines of up to €20 million or 4% of the total worldwide annual turnover. A GDPR breach can also cause considerable reputation damage for the organisation involved. A year down the line, this is the perfect opportunity for companies to carry out a review of their data protection compliance programmes.
5 Key steps in establishing an effective data protection compliance programme.
12 months down the track from the introduction of the GDPR provisions, this is the perfect time to plan ahead for refresher staff training for the year ahead and indeed to review our data protection compliance programme.
1. Compile a register of data processing activities
To demonstrate compliance with Article 30 record-keeping requirements, both data controllers and processors must maintain a current and detailed data inventory, setting out the details of the data they process, the lawful basis for processing, safeguards for transfers to third countries, store and retention periods and a summary of the robust security measures used to protect the data.
2. Review and update all third-party supplier contracts
Under Article 28 of the GDPR, personal data can only be transferred to data processors where the relationship is governed by a written contract and that contract must expressly cover our GDPR obligations in relation to data protection. It should also require the third party as a data processor to provide assurances and sufficient guarantees that they have adequate technical and organisational security measures in place to ensure the security and integrity of the data shared, this applies to third parties such as HR consultants, external payroll, auditors and accountants.
3. Introduce and distribute privacy notices to all data subjects
Privacy notices should be distributed to all data subjects explaining the nature and purpose of processing their data and their subject access rights. The privacy notice should be amended to reflect the intended audience, whether that be existing workforce, new employees, potential candidates for employment and not forgetting our clients or service users.
4. Updating contracts of employment and related policies.
In addition to issuing privacy notices to our workforce, employers need to ensure that contracts of employment contain GDPR compliant data protection and confidentiality clauses. Data security and confidentiality of data should be embedded in your induction and your exit procedures. Additional material should be updated and included in a number of policies, for example, the disciplinary policy, CCTV, social media and IT policies. A comprehensive data protection policy is also essential.
5. Compulsory staff training in data protection and cyber security on an annual basis
Unfortunately, a combination of human error and cyber attacks are often at the heart of data breach incidents. If personal data is lost or shared with the wrong person, even accidentally, it’s likely that an organisation is facing a GDPR breach and potentially a notifiable event that requires the ICO and affected individuals to be informed. The potential civil and criminal liabilities, ICO fines and potential reputational damage are by now well advertised. Annual data protection and cyber security training are absolutely essential and indeed recommended by the ICO to raise awareness amongst our staff, to help them identify and avoid potentially harmful online risks such as phishing, ransomware and email scams. Training is an absolute must.
FREE GDPR policy bundles now included in eLearning training packages
Legal Island is delighted to be working in partnership with Worthingtons Solicitors to include policy bundles FREE of charge to organisations when purchasing our Data Protection in the Workplace or Cyber Security in the Workplace eLearning training for 20+ staff members.
These policy bundles are designed to give practical assistance to organisations with their GDPR compliance programmes. The documents are prepared in a straight forward and easy to implement format to ensure that organisations of any size and across all sectors can put in place the essential policies and procedures that reflect best practice in data protection and security. They provide a platform for organisations to build/enhance their compliance programmes and to integrate data protection into existing practices and systems of work.
What policy bundles are available?
- Data Protection Policy
- Third-Party Data Protection Agreement
- Data Protection Amendments for Employment Contracts and Related Policies/Procedures
- Data Retention Policy
- Recommended Data Retention Periods
- Data Breach Policy & Incident Report Form
- Privacy Notice for Staff
- Privacy Notice for Employment Candidates
- Privacy Notice for Clients
- Homeworking Policy
- Bring your own device to work (BYOD) Policy
If you would like to discuss this special package further, simply email firstname.lastname@example.org or call us, 028 9446 3888.
Louise McAloon will be presenting the session 'Northern Ireland Case Review 2019 and Key Next Steps' at Legal Island's upcoming Annual Review of Employment Law conference in Belfast this November at Titanic and Crowne Plaza.This article is correct at 13/08/2019
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.