By now most organisation’s will be aware of the General Data Protection Regulation (GDPR) coming into force on the 25th May this year, are you really ready?
According to Spiceworks (an IT platform company), only 61% of UK organisations are already compliant with GDPR, or expect to be by the 25th May, with only 46% of businesses in the rest of Europe, and a mere 25% in the USA feeling confident they will be ready!
Whilst a small percentage of organisations believe they will be fined for not complying with the GDPR, the bigger concern lies with staff feeling that their jobs will become more complex and difficult to do in trying to comply with Regulation requirements and standards. With so many survey’s reporting how, organisations do not feel ‘ready’ and will struggle to tackle the challenges of the changing legislation, there is clearly a lot of work that needs attention, especially if you are still thinking that GDPR won’t affect you… think again…
Although the Regulation is being directed by the EU (European Union), the rest of the world are taking note and international organisations are realising their responsibility of ‘controlling’ and ‘processing’ individuals (subjects) personal data when GDPR comes into force, with further change to come as legislation aims to keep up with the advances in technology and the sheer enormity of ways that personal data has evolved and become available it today’s world.
WhatsApp, for example, signed up to an ‘undertaking’ in March 2018 wherein they have given a public commitment not to share personal data with Facebook until they can do so compliantly under GDPR. This proactive step was taken to increase trust, openness and transparency to UK users.
The ICO (Information Commissioners Office) are providing vast amounts of fruitful material (guidelines, checklists and more) to assist organisations to be ready for the biggest change to Data Protection the UK has seen in the last two decades and making it clear what organisations, or more specifically, employers need to do.
The Team at You HR Consultancy have created specific material to assist clients in becoming compliant and ensuring that staff are aware, engaged and indeed informed on how this fundamental change will affect them, as an employee and in undertaking their jobs if they work with personal data.
Our material is complimentary to the culture shift the GDPR aims to introduce and harmonise the protection of rights and freedoms of individuals and the free flow of data. At the heart of GDPR is a change in focus from regulating high risk data processing activities to improving data security in more routine matters. From an employment perspective, you need to be demonstrating greater transparency of your obligations. You will need to provide more information on what data you hold and what you do with that data, both for those inside the organisation, such as employees, and those outside it, such as applicants in your recruitment campaigns, leavers, including agency workers and contractors too.
Auditing your current position on how you securely store, control and process data is vital and focusing on areas such as: recruitment processes, personnel files, systems, benefits, policies and procedures are key, to ensure compatibility of the 6 principles of the GDPR and fulfil your responsibility as an employer.
The Regulation states, without a doubt, that the changes to be introduced must not be just a tick-box exercise. Organisations must be able to demonstrate their compliance on an ongoing basis and how records are maintained, retained and demonstrate how the 8 rights individuals will have with regards to their data will be addressed and they are taking proactive steps to get ready…
The recent investigation into Cambridge Analytica put the ICO and their powers to the test and even with the new GDPR coming into force, ICO are thinking ahead of how their enforcement and powers of authority will need to be fit for purpose with the forthcoming legislation changes once the new Data Protection Bill, currently before parliament, is approved.
James Dipple-Johnstone, Deputy Commissioner for Operations at the ICO, oversees the Enforcement and Assurance departments Data Protection Complaints and Reviews as well as FOI Complaints and Appeals.
In his latest blog on the 4th May he has clearly set out how the ICO intends, through revising its Regulatory Action Policy, to align its powers of authority and take action on organisations that do not comply with the Regulation. “we can issue urgent notices to be complied with within 24 hours. We have the ability to inspect and assess compliance without notice and it will be a criminal offence for an organisation to destroy or alter information we wish to pursue a warrant to remove… The powers will allow us to better tackle the challenges of securing evidence and investigating systems in situ – to see how personal data are actually being used and managed.”
If you need a hand with any HR related aspect of GDPR, you can read our article in this month’s B4 magazine or contact us on 01491 820 764 to discuss how You HR Consultancy can help to You!