With the May 25 deadline to the new general data protection regulation (GDPR) approaching, a leading employment lawyer outlines a series of simple steps to set businesses on the path to compliance.
Barry Warne, partner and head of employment law at hlw Keeble Hawson says a significantly raised standard for consent when it comes to collecting; storing and processing personal data lies at the heart of the new legislation.
He said: “Under GDPR, data cannot be processed without a ‘lawful basis for processing’ such as consent. If consent is relied upon, every employee will have to give informed, explicit consent for personal information to be taken and they will have the right to expect total transparency about how that information is used.”
Barry recommends that employers conduct a simple internal data-mapping exercise to establish key facts which include what information is collected, who is collecting it, how and why it is being collected – as well as how information will be used, how long it will be retained and why..
“Being equipped with vital information and facts such as with whom information will be shared; how it effects individuals concerned and whether the intended use is likely to cause individuals to object or complain – will enable employers to draw up a picture of how data flows through their organisation,” he added.
“Helping companies to understand what constitutes personal data and exactly what happens to that data, this mini audit will enable them to draw up what is known as a privacy notice – a key document setting out agreed protocols for handling different types of information within the business.
“The importance of a robust privacy notice cannot be underestimated and it is worth seeking expert advice to ensure it is constructed in accordance with the expectations of GDPR.”
Fines of up to £20,000,000 or four per cent of a firm’s annual turnover can be imposed for non-compliance with GDPR.