How to prepare your business for the forthcoming GDPR

Is your business GDPR ready? Here’s why organising training and increasing awareness should become your key priorities

A changing landscape

As we enter Q2, it goes without saying that one of the most talked-about industry topics has been the forthcoming European data protection regulations – and Adecco and Office Angels’ recent GDPR and cyber security event was a great way to highlight this evolution in the law relating to privacy.

The last time data protection legislation was passed was 20 years ago, before the digital age truly began. Since then, the amount of data and information created by our society has increased exponentially, and in ways that could not have been imagined a generation ago. The law relating to the safeguarding of this data needs to urgently catch up with today’s technology.

From 25 May 2018, all businesses will be subject to a new set of rules that strengthen and harmonise data protection principles in respect of all individuals within the European Union.

But what does this mean for your business in practical terms?

Firstly, it should be noted that GDPR is an evolution in the law, not a revolution. The eight data protection principles already enshrined in the Data Protection Act 1998 are not altered to any significant extent.

However, all businesses need to be clear about what lawful grounds for processing data they are relying on, and also be aware of certain new rights that GDPR gives to individuals (such as the right to be forgotten). To ensure that you comply, and to dispel any confusion among your staff, organising training around the subject and increasing awareness should be prioritised.

Read on to explore some of the topics you may encounter most frequently.

What kind of data will be affected?

The GDPR applies to ‘personal data’, which can broadly be described as any information relating to an individual person (the ‘data subject’) who can be identified from that information – which can include, for example, a person’s name, address, telephone number, email address, employment background and bank account number. 

There are certain more sensitive categories of data known as ‘special category data’ that are given enhanced protection under GDPR, such as a person’s racial or ethnic origin, political or religious belief, or any data relating to their health and medical history.

You will need an additional justification for holding and processing a person’s special category data, over and above the usual lawful basis for processing that applies to all personal data.

It is important to not confuse ‘personal data’ with ‘information’ generally. Any information that you hold which does not relate to individual persons (e.g. a spreadsheet with a list of client company names and phone numbers) is not covered by GDPR. If, however, the spreadsheet includes a column with contact names and addresses of employees at those clients, then GDPR will apply to it.

Is my company a data controller or not?

If you process personal data (processing being a very wide term, including simply keeping and storing personal data), then under GDPR you are either a data controller or a data processor.

In simple terms, a data controller determines the purposes and means of processing of the personal data, while a data processor is responsible for processing personal data on behalf of the data controller.

For example, if a person submits their CV to a job board, the job board will become the data controller of his personal data. If, on the other hand, a company provides its staff information to a payroll company for the sole purpose of processing its company wages, the payroll company is acting in the capacity of data processor. Both processors and controllers are accountable under GDPR, but in general terms, the obligations upon controllers are more stringent.

You’ll need to consider your position if you’re sharing personal data with clients or suppliers, so carrying out a review of your processes is a great way to start.

In some cases, your clients may ask you to sign a ‘Data Processor Agreement’ – assuming that you are processing personal data on their behalf, and saying that this is necessary to comply with GDPR.

However, in many cases you will not necessarily be a processor – you may actually be a controller in respect of that data, because you don’t just process it solely according to the client’s design and instructions. If this is the case, you should challenge whether you should be signing up to a document that labels you wrongly.

It’s NOT all about consent

In our recent GDPR events, it was clear from the audience questions that there still is a big misperception out there; namely, that you must have the consent of a data subject before you can process their data. This is not true. In fact, there are SIX lawful bases for processing personal data, with consent only being one of them.

As a lawful basis for processing, consent can be tricky to work with, as the consent needs to be freely given, fully informed and easily withdrawn – so if your team is dealing with thousands of people in a database, it’s best to determine an alternative lawful ground for processing, such as having a legitimate business interest to process that personal data.

You must determine your lawful basis before you begin processing personal data, and you should document this.

One of the first things you need to do is map out all the personal data you hold, and determine the lawful basis for processing it; secondly, you should ensure that you have drafted a GDPR-compliant privacy notice, clearly stating the lawful basis that you are relying on, and communicate this to every person you hold personal data on.

If a person has already shared their data into the public domain (when searching for a new job on LinkedIn, for example), you’re permitted to use their details, but only if you notify that individual about your reasons for doing so.

You also become a data controller as soon as you take that personal data into your own records, and GDPR principles apply.

As with the current law, under GDPR you must also ensure the personal data you’re processing is accurate, secure, and only kept for as long as is necessary for the purposes it was originally taken for, so be mindful of this when keeping spreadsheets with large amounts of personal information.

Potential penalties

Despite the fact that penalties for data breaches were codified in 1998, there was previously a general perception that financial penalties for breach would not be too serious. Not any more!

Now, organisations that breach a data subject’s rights could find themselves with hefty fines – with a potential loss of up to four per cent of annual global turnover – so there can be serious implications for not being compliant. 

Possible breaches might include a negligent approach to cyber security, or misusing a person’s data, regardless of whether this was intentional or not.

However, we understand that punishing companies in the pocket for any and all breaches is not the key focus of the UK Information Commissioner’s Office (ICO) – their initial focus is to educate society on best practices in data management, and to promote the engraining the new rules within our company cultures and DNA.

There is no doubt that blatant transgressors will feel the wrath of the ICO. However, if companies can demonstrate a real awareness of the GDPR, as well as the steps they’ve taken to implement it (such as organising staff training), sanctions will be far less severe.

Suggestions for clients

 Here are a few initial suggestions from Gavin Tagg, General Counsel at Adecco, to help you prepare:

• Notify all senior staff about the changes.
• If you already have privacy notices, update them.
• If you don’t have privacy notices, ensure that you create them and communicate them clearly.
• Determine which lawful ground(s) you want to apply to the use and management of personal data you hold.
• If you do have a legitimate business interest for using personal data, decide what kind of information this will include, and why it is really necessary.
• Review how you record and manage consent.
• Inform data subjects where their data is kept – and only use it for as long as is necessary.
• Plan how you will handle any data subject access requests – bearing in mind that it is likely these will increase, now that there is no application fee under GDPR.
• Hire new staff, such as a Data Protection Officer, to take responsibility for data protection compliance.

Remember – be accountable, and be transparent.

Want to build your team to help you prepare for the GDPR? Please contact an expert at your local Adecco or Office Angels branch.