- Posted Tuesday August 8, 2017
The General Data Protection Regulations (GDPR) will come into force on 25 May 2018. Drawing on the information that’s been released so far, we’ve pulled together the key things GP practice managers need to think about with regards to the data currently held about their staff.
Data Audit - Identify Employee Personal Data, Where It’s Stored and How It's Used
The regulations require companies to identify and record what personal data has been collected from job applicants and carried through the employment lifecycle – this is often referred to as a data map.
This will cover data kept on HR information systems in the most obvious sense, in personnel files (both electronic and paper), data saved on hard drives and emails - maybe even on work phones and tablets. There isn't a prescribed format for the data map, and it can take a variety of different forms as long as it fulfils the purpose of helping the organisation to determine:
- What personal data is collected?
- Where is personal data stored?
- How is personal data processed?
Top tip – Check out our Records Retention Policy in the FPM Policy Library and start reviewing your personnel files, removing all old information that is no longer relevant.
How to Use the Data Map
The GDPR requires a detailed record to be kept of personal data-processing activities - the data map can serve this purpose if it contains the necessary information. It can also be used to identify gaps between your current practices and the requirements set out under the GDPR.
Draft Guidance to Date
Draft guidance from the Information Commissioner's Office (ICO) states that consent will be very difficult to rely on in the employment context. What this means in practice is that when using the data map, employers will have to look at all the different types of data they collect on their employees and, in most instances, determine a different legal justification for processing the data instead of relying on consent.
Article 6 of the General Data Protection Regulation (GDPR) states that processing of personal data will be lawful only if at least one of the following conditions applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the data controller is subject;
- Processing is necessary to protect the vital interests of the data subject or of another person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
- Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (this condition does not apply to processing carried out by public authorities in the performance of their tasks).
Practices will need to look at the types of employee data they process and the processing activities they use and then determine which justification or justifications are relevant.
If it's not possible to justify the processing activity with one of the available grounds, the organisation will have to stop processing.
Communicating to Employees
One of the new requirements is that the legal basis for processing personal data has to be shared with employees, along with other information about processing. In addition to this, organisations must be able to prove that they comply with and enforce their own policy.
Policies and Processes
Practices will have to take several technical and organisational measures to make sure data protection is incorporated into all procedures involving personal data.
This will mean taking the following steps:
- Reviewing your policies and processes to ensure that only necessary data is collected, and that it is only processed to the extent necessary
- The data must be stored securely
- Access to the data must be limited
- The data must be destroyed once it's no longer needed
The Risks of Non-Compliance
The regulations could see companies face fines of up to €20 million or 4% of group worldwide turnover, a very high figure that has turned a lot of heads. The ICO have already said they will not be specifically targeting small organisations, but there will still be an increased risk due to individuals having a greater ability to bring private claims against organisations for breach of the regulations.
This is where the risk is likely to lie for employers, particularly small businesses that don’t have the resources to allocate many resources to the new processes.
To learn more, try the following useful links:
Personal Data an Employer Can Keep about an Employee - GOV.uk
Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now - ICO
Want to make sure you're prepared for GDPR? Award-winning primary care trainers Thornfields have developed a GDPR training course that provides an overview of GDPR, its impact on the NHS, and information on its strategic drivers and potential operational implications.