The penalties for transgressions are tough: companies can be fined up to €20 million or 4% of annual (global) turnover as well as facing potential criminal sanctions and compensation claims.
The good news is that GDPR need not entail the complete re-engineering of your business, but, it does mean ensuring that you are legally compliant and that you can demonstrate this.
Here is our “Starter- for- 10” checklist of the most basic elements of compliance that you should already be able to demonstrate.
If you cannot answer ‘yes’ to all of the following statements, then you are not yet fully GDPR compliant:
1). We have conducted an HR personal data audit and put in place a Data Register to assess our current data processing practices against requirements under GDPR. (We have also drafted a policy based on the new regulation as a benchmark for assessment).
The scope of the data reviewed and the information captured means this is a significant task. We have used the information obtained from the audit to create a data register to meet record-keeping requirements under GDPR.
2). We have reviewed our systems and processes. Our organisation’s IT systems and processes are able to cope technically with the expanded individual rights, including subject access rights, and data breach requirements within the time frames required by GDPR.
3). We have created and/or reviewed our HR policies and procedures. This includes policies and procedures specifically related to data protections (eg, employee data protection policies and subject access procedures), as well as all sickness absence policies, employee monitoring policies and employee reference policies).
These contain clear and practical guidance on GDPR compliance.
4). We have put in place Privacy (Information) notices for employees and job applicants to comply with the more detailed information requirements under GDPR
5). We have integrated GDPR compliant “privacy by design and default” into our operations day to day people management practices. This includes collecting the minimal amount of information, considering privacy from the outset of each project involving personal data and ensuring that the organisation engages with relevant business areas early on.
6). We have implemented a system to deal with data breach notifications. This includes developing a data breach response programme for prompt notification, and allocating responsibility for investigating a breach, containing the breach and making a report.
7). We have third party Processor Agreements in writing and in place with all of our service providers to ensure that they comply with requirements related to third party data processors.
8). We have checked where our data is stored by third parties (eg. external payroll providers) and where our business deals outside the EEA, we have reviewed employee data transfer mechanisms to organisations outside the EEA to see if any change to the manner of transfer is necessary (eg, if the organisation should implement binding corporate rules).
9). We have established our staffing requirements for ongoing data protection compliance and monitoring following the implementation of GDPR.
10). We have provided training for all our staff, and specific training for individuals with data processing responsibilities, following the introduction of new data protection policies and procedures.
What Can You Do?
KJG can carry out a GDPR audit in your business, provide assistance writing your GDPR compliant HR policies and procedure, and train your staff.
To find out more, email firstname.lastname@example.org with your name, company name and contact number and one of our experienced GDPR trained team will get in touch.