The GDPR (General Data Protection Regulations) come into force in May 2018. They require a significantly different approach to the management of Data Protection management currently, so here are our top tips to prompt your thinking and GDPR planning.
Do’s
- Start thinking and planning now. You need to have updated and issued your new data protection policy by April next year and you need to start the consent process probably early in the New Year. This will ensure that you are ship shape for May.
- Be aware that these regulations reverse the burden of proof so that in future you, the employer, will have to prove that what you did was reasonable rather than your employee having to prove that what you did was unreasonable.
- Be prepared to begin issuing Privacy Notices to all job applicants from next April or May. If you have a particularly long lead time when appointing staff, you may need to begin this even earlier than April.
- Prioritise carrying out a data protection audit so you are clear what needs to be done and where you might be exposed, so that actions can be taken prior to May 2018.
- Involve IT as they will be invaluable when it comes to discussions about tightening up access to personal and sensitive data that is held. Also, involve your company secretarial function in relation to checking that your data protection registration is up to date.
Don’ts
- Be complacent. Fines of up to 20 million Euros or 4% of your annual turnover is massive and should be highlighted to every Director, Non-exec Director and Senior Manager in the business so that these regulations are taken seriously. You should also consider workshops for all supervisors, line managers and directors to ensure full understanding of obligations.
- Ignore job applicants and ex-employees. You need to be aware of what data you hold and what you hold it for and what consent you have so that you are legal and compliant.
- Sit on data access requests or enquiries about the right to be forgotten. For access requests, the timescale is reducing from 40 days to one month.
- Forget to communicate to staff the ‘why’ as well as the ‘what’ when you are getting consent or introducing new policies. Full communication with staff is really important.
- Leave your staff representatives out of discussions between now and the date of introduction in 2018. They should be involved in the new policy you are going to implement and might also be able to support with the data protection audit.
And Finally…
10.5 Do not allow Group Think to give you a sense that all is okay. You need external eyes and different opinions to allow for full testing/challenging of what you currently do. This is not a time for egos or defensiveness but simply an open-eyed review of what you do and what needs to change.
We have GDPR policies, a management guide, audit, checklists and contracts with GDPR clauses on Docs Wizard, available to premium subscribers. View the GDPR Docs here. Sign up for membership here.