Raise awareness amongst your staff of GDPR, now. Top management must own this piece of compliance. It takes time and you must be ready by May 25th 2018. It requires planning, documenting, and is not just an HR issue.
Find out what data exists, where it is, how it is collected and what is done with it. Is it disposed of or kept, and is it secure? Can you detect if there is a breach and, if so, how will you investigate and communicate such a breach?
Analyse the reasons for each and every category of data that is collected and consider why it is collected. Is it actually used, or does it sit dormant somewhere? If so, why? Consider how long you keep different categories of data for, if, when and why you delete it, and the reasons for retention. Be careful of sensitive or special category data.
Which parts of the data protection principles are you going to rely on to ensure legal compliance? What sort of consent are you seeking and using? What are you going to do if consent is withdrawn? If you process data and collate it for statistical purposes – i.e. for equal opportunities monitoring - are you using passwords or encryption? What are you going to do about remote workers and security?
You will need to review and update all your contracts and policies. Blanket consents, which are currently fine, will be high risk under GDPR. All workers, whatever their status, need to be guided through policies and privacy statements, ensuring that rights are communicated with regard to retention, security, erasure, destruction and record-keeping. Other policies within your handbook will also need revising.
Is there complete clarity on who is responsible for each stage of data processing so that the law is complied with? Do employees know how to use their rights easily?
What are you going to do about your relationship with external contracts and processes in relation to GDPR? What third party services do you use? Have their data protection obligations been set out by them? There are many areas of concern: payroll, IT, occupational health, etc.
With regard to those who are in charge of compliance, what steps are you taking to make sure they are able to perform their role fully and well?
Have you set up adequate training and communication within the organisation to cover all staff and stakeholders?
GDPR is not a one-off activity. It is here to stay. Do you need to introduce regular (annual) audits to ensure you remain compliant? How are you going to update staff? What are you going to do with new starters? Who will check up on ICO guidelines?
Sounds like a lot of work. This is true, but absolutely necessary and can be broken down into manageable pieces, step-by-step.
The team at Integrated Resources can help. Please get in touch if you need advice planning your GDPR approach.