Have You Assessed Your GDPR Risk?
With the EU’s General Data Protection Regulation (GDPR) coming into effect on 25 May 2018, it is pleasing that so many minds are focused upon the important topic of data protection, and, as many organisations have realised, while GDPR will bring some important new responsibilities, those already operating within current data protection legislation shouldn’t have to make too many adjustments to their working practices.
The main principles of data protection remain largely the same under GDPR. The new regulations do however, provide a more comprehensive framework in relation to the processing, storage and collection of information as well as in relation to individuals’ rights.
There have been a number of legal cases in recent years, which highlight the importance of ensuring that you have adequate data protection policies in place and that staff fully understand the practical implication of such policies.
Earlier this year a local authority education worker was fined for breaching data protection rules after illegally sharing personal information about school children and their parents via Snapchat. The image was sent to an estranged parent of one of the pupils and contained names, addresses, dates of birth and National Insurance numbers of 37 pupils and their parents. The individual also sent a copy of a school admission record relating to another child. The breach occurred despite the council providing data protection training to the individual concerned. ICO Criminal Enforcement Officer Mike Shaw, said: “This was yet another example of how people whose jobs give them access to personal data can end up in serious trouble after allowing temptation to get the better of them.” The education worker was fined ￡850 and ordered to pay costs totalling £713.
So how can businesses safeguard themselves?
Some steps your organisation can take to ensure compliance with GDPR include:
- Training staff to make them aware of the changes to legislation
- Updating your terms and conditions
- Updating supply agreements with third parties
- Updating your privacy notice
- Reviewing your HR processes and documentation
Here at JCP we can help, by offering
- Bespoke training tailored to your organisation and its needs
- Legal documentation such as a data protection policy, privacy notices, contracts with third parties, and supply agreements including controller/processor agreements
- HR documentation such as employee and job applicant privacy notices, data protection policy and confidentiality agreements (if your business is on our HR Services retainer package these documents may be provided under this agreement free of charge)
- Templates and practical advice to conduct your data audits and data protection impact assessments
We offer tailored training for your employees which will enable them to understand how GDPR affects their job on a day to day basis.
Certain organisations are required to appoint a Data Protection Officer under GDPR. Even if the categories of appointing a Data Protection Officer do not apply to your organisation, it will be necessary to consider who will be responsible for overseeing data protection compliance within your organisation. Some examples of what this role may entail include ensuring staff are adequately trained; responding to individuals who exercise their rights under GDPR; and undertaking privacy risk assessments at the outset of a projects where required.
Jen delivers advice and training to local businesses as to compliance with the new General Data Protection Regulation (“GDPR”) and, together with our HR team, has developed a suite of documents to assist those clients with ongoing compliance. For more information please contact Jen on firstname.lastname@example.org or telephone 01792 525 466.