The 25 May 2020 marked two years since the General Data Protection Regulations (GDPR) came into force. Within the UK GDPR is implemented through the Data Protection Act 2018 (DPA). Before the implementation of the DPA, businesses were busy making the necessary preparations to ensure that they would be compliant under the new regulations. This is likely to have included data audits, reviews, policy updates and training. However, since this date has the business reviewed the documentation, policies and procedures that were put in place? Are they still adequate?
It is becoming increasingly clear that during the initial rush of GDPR/DPA preparations, there was a tendency for businesses to concentrate on privacy notices and information for clients/customers and ensuring the policy was made available on websites. In doing so, staff within some businesses were forgotten.
Employers should most definitely have in place a privacy notice for their staff. This is a document that tells staff what personal data the business holds, why and what it is used for, as well as ensuring it has rules in place in relation to data retention, how to process third party data and details on security measures. This information may be contained in one document – for example the privacy notice, or it may be spread across more detailed standalone policies such as a data protection policy, a data retention policy and a subject access request policy. The exact approach a business takes will depend on its size, resources and the amount of personal data processed.
For those businesses who already have a privacy notice (and/or other similar types of documentation) in place, the responsibilities don’t end there. They must also consider when their documentation was last reviewed. Ideally, these types of documents should be reviewed on a regular basis to ensure consistent compliance with evolving regulatory guidance and in-house practices. A prime example – many businesses are now working remotely due to the impact of COVID-19, employers should especially be looking at updating their policies regarding these changing working practices to ensure the rules and guidance in place is clear on how to handle data remotely, especially if these arrangements are becoming more permanent.
Review compliance with the DPA will usually involve carrying out audits of personal data, reviewing current policies in place and considering if they are up to date and accurate or if they should be updated as well as having a clean-up of personal data generally within the business as it is incredibly important to ensure that they aren’t holding onto data for longer than is necessary. Another avenue to consider is training – is the business satisfied that all its staff understand their obligations under the policies? Do the staff understand the potential ramifications of non-compliance for themselves and the business? Now, may provide an excellent opportunity for a business to ensure its staff are up to date on this type of training – especially given the fact that the guidance confirms employees who are furloughed are still able to complete training.
We appreciate that ‘data protection’ can be a dry and complex area – however it is incredibly important businesses do fully understand their obligations in relation to their staff.
Our employment team at Moore Barlow are happy to arrange a call to advise you on your obligations and what you need to be doing to ensure you are protecting the business by remaining complaint. If now is not the right time for you to get in touch, we would advise you use this time, where possible, to carry out an audit of all the personal data you process about staff and why you do this, so that when resources do allow you to reach out for advice you have the data ready.