With less than five months to the falling of the EU’s General Data Regulation Policy (GDPR), we continue to examine implications for business owners under the new legislation, with focus falling on staff contracts.
GDPR will herald a new era of accountability in data protection, and business owners will have to review employment contracts, policies and procedures to ensure that staffing practices remain compliant.
This compliancy should begin with ensuring that written contracts are unambiguous in their wording, and absolutely clear in every aspect.
In line with GDPR’s culture of ‘legitimate consent’, organisations will have to obtain the employee’s consent to process personal data, with easily understood explanations of what that data is needed for, followed by a clear opt-in to this data being used. This system will put an end to the more traditionally-used ‘opt-out’ method, which will be insufficient as of May 25th.
Employers must remember that employees will be able to withdraw their consent to their data being used at any time. Of equal importance, all pathways to consent will have to be fully documented, should evidence be called for by data officials.
To support this, HR processes may need to be improved to serve the standards of a far more data-security conscious era. Crucially, all staff who handle the private data of others will need to be properly trained – this is just one developmental factor that will have to be factored into work obligations to ensure compliance. If companies are found in breach of GDPR, HR and staff training records will be first up for inspection by officials.
The data protection policy
As of May 25th, staff should be made aware of a GDPR-compliant data protection policy that clearly points out what personal data means, why protecting it is essential and what the implications are for firms and individuals that do not adhere to the EU’s legislation.
There’s a sizeable incentivising stick here: in worst case scenarios, companies found in breach of GDPR could face fines of up to €20 million or 4 per cent of turnover – whichever is greater.
Employees should know your responsibilities as an employer, so that they in turn can do their best to comply with your journey to compliancy. Staff should also be absolutely clear on their rights as data subjects: the right to be forgotten, the right to restrict processing and the right to data portability.
Again, employers will have to ensure that their internal processes and procedures are fully reviewed and fit to support a new culture of GDPR compliance. How easy is it for your data controllers to delete data if that action is required? Are you able to source and produce precise information upon request, and present it in a properly structured e-friendly format?
The General Data Protection Regulation will also oblige employers to evidence all their steps to compliance, which means being able to detail staff training processes, demonstrate training has been completed and how compliance checks have been carried out. This evidence will have to be stored securely and kept up to date.
Should organisations discover they are culpable for a data privacy breach, it will have to be reported to the regulator within 72 hours, at the risk of aggravating any subsequent penalties.
The Data Protection Officer
Finally, all organisations will need to appoint a dedicated Data Protection Officer (DPO) who will be responsible for driving compliance and making notifications of any data breaches. The DPO will also provide a helpful point of contact for employees seeking GDPR guidance.
The foundation to compliance and a more secure future
Of course, GDPR will also apply to current data in business systems, and employers will have to conduct a thorough audit to ensure that all data stored is held line with new legislative standards.
It should be noted that this document is not an official guide and does not amount to legal advice. Rather, it is an outline of what business owners should expect to deal with under GDPR, so that the journey to healthy, successful compliance can begin as soon as possible.
The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 delegates seeking the very latest insight on data protection and privacy.
Pre-registration for DPWF 2019 will be opening in the coming weeks.