XpertHR is marking the one-year countdown to the introduction of the EU’s wide-ranging General Data Protection Regulation (GDPR) by launching a practical guide to help HR begin their preparations.
The new Regulation – which will come into force on 25th May 2018 – replaces the Data Protection Act 1998 in the UK and marks the start of a radical new data protection landscape, with significant penalties for non-compliance.
The GDPR will introduce a system of “data protection by design and default”, requiring organisations to take data protection risks into account throughout the design and operation of all policies, processes, products and services.
While employers currently typically rely on employee consent to process their data – often given via a broad clause in employment contracts – under the GDPR this will be much harder and they will generally have to find an alternative basis. In addition, employers will be required to keep extensive records, including the type of employee data that they process and the reasons for the processing. Employees’ right to receive a copy of all data held on them by their employer will also be strengthened, with fees for such data subject access requests removed and a shortened time frame for employers to provide the information.
The maximum penalty for breach of the data protection principles will be increased to 20 million euros or 4% of worldwide turnover if this higher – up from the current ceiling of £500,000.
Specifically, the guide features advice on:
- The main changes introduced by the GDPR impacting on employee data and HR areas of responsibility
- The importance of securing board-level buy-in for the implementation of a GDPR compliance programme
- Establishing a cross-department compliance team
- Conducting a risk assessment to identify the specific privacy risks to which the organisation is exposed
- Establishing a GDPR compliance timeline
Jo Stubbs, head of content at XpertHR, said: “A year may sound like a long way off, but employers need to be aware that complying with the GDPR will require substantial investment in terms of money, organisational resources and management time – so they need to get the ball rolling as soon as possible. They should aim to take a realistic, risk-based approach to compliance, prioritising remedial measures in the areas of highest risk and with the most significant impact.”
She added: “This guide provides an overview of the relevant changes for HR and the strategic considerations for organisations developing a compliance programme. It discusses the initial stages of preparing to comply with the GDPR from an employer’s perspective, with the intent of enabling organisations to begin their compliance efforts with respect to employee data.”
The guide can be accessed here.