By Janet Kerrigan, Service & Development Director at Willis Employment Services, a division of Willis Insurance and Risk Management
With just over one month to go until the introduction of the General Data Protection Regulation (GDPR) – and with 99 articles to comply with – many employers still have much work to do to ensure they meet some of its more onerous standards and obligations.
The GDPR, which seeks to provide new levels of protection for information held on individuals and organisations across Europe, will come into effect on 25th May meaning those firms that have, until now, kept preparations on the back burner should bring them to the fore.
A failure to prioritise preparatory work may have resulted from a lack of understanding as to what is required to get GDPR ready, such as the time required, or the potential impact on companies of not being ready, including potentially hefty fines of up to £18 million (or a percentage of revenue) for firms which breach the new rules.
Many businesses will already have data protection policies in place which they may consider sufficient and it is true that personal and sensitive information held on consumers and employees in the UK already enjoys a high level of protection due to the Data Protection Act.
However, more than simply updating a data protection policy, time needs to be made for each aspect of GDPR preparation, not least the identification of what personal information is processed and where, why, how and with whom the data is shared.
For example, employers must be ready to handle requests from staff members exercising their enhanced rights with regards to their personal data or to meet tender requirements.
Among the other key aspects of the regulation is a requirement of businesses to identify a basis for processing personal data, one of which is consent. As existing consents which do not meet the requirements of the new legislation will not apply after 25th May, it is important businesses identify and gain necessary consents as soon as possible.
Therefore, an audit of current mechanisms for gathering data is prudent and a good starting point for any business in becoming GDPR compliant.
A robust action plan, built to deal with the aftermath of any data breach, should also be put into place. It will involve telling customers what has happened and reporting the incident to the Information Commissioner’s Office (ICO) within 72 hours, in order to comply with the new legislation.
The process of preparing for the GDPR need not seem like a constraint to everyday business operations. To the contrary, this albeit sizeable task can have a major impact on achieving efficiencies, realising business objectives and encouraging effective collaboration across business functions.
Seeking professional guidance, even at this late stage, can help firms in the process of getting ready for the GDPR, and avoid potentially hefty fines for non-compliance.