The law firm warns that many employers across the public and private sector may not be prepared for the important changes introduced in the General Data Protection Regulation (GDPR) – and specifically to how the regulations will affect HR policies and processes.
The warning comes as the firm has launched a new and updated guide, We Mean Business: Counting Down to the GDPR, which includes practical and specialist guidance for employers in order to achieve compliance over the next few months. It comes after a survey by the firm revealed nine out of 10 businesses had still not made crucial updates to their privacy policies – a key requirement of GDPR for handling employee data.
GDPR comes into force on May 25 and all organisations which retain or process personal information will need to comply. Employers could be liable for fines of up to £17m or 4% of their annual worldwide turnover (whichever is greater) for data breaches and organisations will have just 72 hours from the discovery of a breach to report it.
Under the GDPR, employees as data subjects will have greater rights than they currently do under the current UK Data Protection Act (DPA) 1998. The regulations present employers with a number of important changes concerning both the way they handle information about their employees and what they tell employees about the information they store.
Mike Wilson, Managing Partner and an employment specialist at Blake Morgan, said: “In the digital age, it only takes a few moments to realise just how much information employers store and process about their employees.
“GDPR raises the bar significantly from existing legislation in terms of giving employees greater rights and compliance is likely to require a practical, cultural and structural shift in the majority of businesses and organisations.
“May is quickly approaching, so organisations that haven’t already done so should start preparing for the changes. Those that are already in the midst of their compliance project should be checking to see how their action plans are progressing and whether all key issues are being addressed.”
The main changes HR professionals will need to address are:
- issuing job applicants and employees with a privacy notice detailing what type of information about them is/will be stored, on what legal basis, and what their rights are in relation to that information. Employers should be doing something similar already, but under the GDPR it will need to be a lot more detailed.
- making sure that as an employer, consent, in general, is not relied on as a basis for lawful processing. This will mean changing general data protection consent forms, application forms, and contracts.
- training staff on the significant changes to employees’ rights in relation to accessing their information and asking for it to be rectified, deleted, restricted or to object to the employer using or storing the information.
- working more closely with IT teams on understanding what information is stored and used, including considering the wide range of digital information held on employees including activity on work IT systems, mobile devices, vehicles, CCTV and wearable technology.
- appointing a Data Protection Officer (DPO) if they are a public authority. Any organisation can appoint a DPO, but all employers must ensure that they have sufficient staff and skills to discharge their obligations under the GDPR.
Mike added: “Compliance may seem like a mountain to climb, but the long-term payoff for employers will be considerable. It presents a real opportunity for employers to transform traditionally closed processes into more meaningful engagement with staff around things like employee performance and development.”
Blake Morgan’s lawyers offer both a start-to-finish consultancy package for achieving compliance and a complement of individual services to target known areas of concern, including HR policies and processes.
Among data protection projects in recent years have been advising a world-leading UK charity on cross-border data flows and compliance with overseas legislation, as well as conducting a major data protection compliance project with a UK university.
Blake Morgan’s data protection, regulatory experts and employment experts are available to answer questions from organisations about GDPR at GDPR@blakemorgan.co.uk
To download a free copy of the guide visit www.blakemorgan.co.uk/GDPR