The Information Commissioner's website provides details of fines and notice of intent to fine. Only three such fines/notices of intent have been reported in the UK under the GDPR (introduced in the UK through the Data Protection Act 2018), amounting to over £280,000,000 (each fine was significant). There have also been a number of fines across EEA member states, with the figure likely to increase given the length of time since the GDPR was introduced.
The employee/employer relationship is renowned for being data rich - employers process employee data every day and at every stage of the employment cycle from recruitment through to references. To help ensure your business is data protection compliant, we have updated our Data Protection and GDPR - A guide for employers
Here are some top tips for employers on how to stay compliant:
Top tips for employer compliance
Where to start? Data mapping is key. What data do you hold? How long do you retain it? Where do you send the data? What protection is in place with third parties? Are your processes GDPR compliant? Individuals have enhanced rights under the GDPR including a right to information and a right to transparency. Having the right systems and processes in place will put your business one step ahead.
Get your paperwork in order. Review existing employment contracts, data protection policies and privacy notices to ensure they are in line with the GDPR. Many employment contracts still include consent clauses requiring the employee to consent to the employer processing their personal data. The GDPR is clear - employers cannot routinely rely on consent as a ground for processing data. Employers will need to consider alternative grounds for processing and will need to ensure contracts and policies are clear. A large accountancy firm was recently fined €150,000 by the Greek Data Protection Authority (Greece's equivalent of the UK's Information Commissioner's Office) for GDPR breaches for wrongly relying on consent as a basis for processing employee data.
Data Protection Impact Assessments (DPIAs). DPIAs are required under the GDPR when high-risk processing is taking place, for example systematic and extensive automated decision-making, large scale processing of special categories of data or large scale systematic monitoring of public areas (CCTV). Consider whether you need to carry out a DPIA.
Are your employees on board? Training is an essential element of GDPR – not just as a one off but on a regular basis. Identify who in the business needs training and on what frequency. Keep records of training provision and attendance. Businesses that are able to instil a GDPR compliant culture will find themselves in an advantageous position; communication and training will support this objective.
Remember the 25 May 2018 was just the initial implementation of the GDPR. Employers need to put ongoing processes, procedures and review in place.
We hope you find our guide useful. If you have any queries please get in touch.