The General Data Protection Regulation (GDPR), the most important change in data privacy regulation in 20 years, comes into effect on 25 May 2018. It’s a complex piece of legislation requiring comprehensive coordination on the part of businesses to educate their workforce and prepare for compliance.
However, too often the guidance around the GDPR is of the academic variety, focusing on “what” the legislation is rather than “how” businesses can become and remain compliant. This article focuses on the “how”, detailing concrete steps to educate your business and complete tasks needed to comply with the GDPR.
The UK Information Commissioner’s Office (ICO) recommends you nominate someone in your company as the go-to person for the GDPR. As a first step to compliance, look at your business and determine who should fill this role.
The GDPR outlines very specific actors involved in data protection. This includes the data controller – the person or organisation that makes the decision to capture and use personal data; the data processor – the person or organisation such as a payroll bureau who is following the instructions of the data controller; and the data subject – the person whose data is being collected.
Understanding the obligations of the business in relation to these three actors is a key component of the role of the GDPR champion within your organisation.
Learn the basics
The first step to educate your business, according to Ian McDonald, regional instructional designer at Sage, is for business owners to learn the basics.
While most people who attend GDPR webinars know that it is just around the corner, the majority haven’t yet grasped what it means for their business or what steps they need to take.
Therefore, the priority has got to be education first. This has to be customised to specific groups within your organisation depending on their role and especially include people who deal with personal data on a daily basis.
The guide to people and payroll
Want to motivate your employees, manage the run-up to payday and improve your payroll processes? Get you free guide and use it to get your people and payroll processes working effectively.
Conduct a data audit
Next, conduct a data audit so each department knows exactly what personal data they hold, what they use it for, with whom they share it and where they store it.
Adam Prince, vice president of product management at Sage, defines personal data as “anything that could identify an individual, so it’s not necessarily the name – it could be a phone number, an email address, a social media handle or even an internal identity”.
For GDPR and payroll, this will mainly be information about employees, and the good news here, according to Sage product management lead Ceara Metcalf, a specialist in payroll, is that it’s generally quite defined.
She says: “In order to pay somebody, HMRC requires you to have specific pieces of information about a person, such as their name, their address, their National Insurance number and their date of birth. As there’s a legal reason to have this information, you don’t need to get consent from the employee, so that makes things slightly easier from a payroll point of view.”
For other departments such as HR, data may be more fragmented across systems and possibly requiring consent, especially where the processing falls outside the usual employer/employee relationship. The best advice is to consolidate as much data as possible, ideally into an online system.
A key principle of the GDPR is that companies mustn’t hold data on anybody for longer than necessary. Now once the audit is complete, the next task is determining what you must delete.
From a payroll perspective, HMRC requires companies to keep employee information for a minimum of three payroll tax years. After that, there is no longer a legal basis to keep it and it will need to be removed unless there are other reasons to retain it (for example ongoing legal action).
Review policies and contracts
Next, it is worthwhile to review your staff policies around data. This may result in the need to create or update some new policies such as a Data Breach Incident Plan or Human Resources Data Protection Policy.
Following this, review and update your legal terms and conditions that go into contracts. It is best to make sure, going forward, that your contracts with suppliers and vendors have all the GDPR processing obligations, which are set out in Article 28, in place.
Educate your business – final thoughts
These steps will enable your business to begin the process of becoming GDPR-ready. A natural by-product of this approach is that through education at all levels of the business, GDPR compliance is fundamentally embedded throughout your organisation from awareness and education to personal data management, policy development and contract management.
Even with this positive start, no organisation can become complacent. However, as according to Pat Larkin of Ward Solutions: “A GDPR compliance programme is a significant undertaking for any organisation. It’s also time critical – ie, you need to be significantly compliant by a prescribed timeline and maintain it ongoing thereafter.”
In terms of approaching the GDPR, for Adam Prince, compliance essentially comes down to consideration. He says: “Consider the individual rather than you or the organisation when you’re trying to work out if you’re doing the right thing.”
What steps are you taking to educate your business? Let us know in the comments below.
Implementing GDPR: Lessons learned from UK businesses
Want to get more insights from businesses on the GDPR? Download this guide, read the stories of the business owners and get up to speed today.