Making GDPR an opportunity, not a risk
28th November 2017
GDPR is designed to protect us all, as individuals, and give us more of a say in how our information is used. As Helen Barge from Risk Evolves explained: “From providing your date of birth and email address to access ‘free’ wifi, to giving your full postal address just to return an unwanted item of clothing, our personal data has a value and GDPR should give us more of a say in what we share, how and why. But as businesses, that means changing the way we work.”
At a recent HB&O seminar, our clients heard first hand from experts in risk management, data protection legislation and human resources. The event covered the key changes being introduced, what action businesses should take, and how preparing for GDPR provides an opportunity to reengage with clients and demonstrate a proactive approach to cyber security and data management.
Underpinning all the advice was a strong recommendation that preparation for GDPR be led from the top, giving data protection the level of priority it needs. “Failing to tackle GDPR requirements, believing data protection doesn’t apply, or sweeping data breaches under the carpet are all attitudes that need to change.” said Helen Barge. “Conversely, organisations that value and respect data privacy and actively take steps to comply with GDPR will benefit from showing leadership on this important issue,” she added.
Helen Barge outlined the key aspects of GDPR, including:
- Companies must have a legitimate purpose for collecting data and should only use it for the purpose it was collected
- You should only collect the data needed and ensure it is accurate and kept up to date
- The two main reasons for retaining and using personal data relate to providing services (i.e. to fulfil a contractual obligation) and consent. Consent must be freely given, informed, explicit and unambiguous.
- Data must be kept safe, both online and offline. The Information Commissioner’s Office (ICO) is clear that companies must protect against cyber breaches, but paper records must also be kept secure and businesses should think about how they destroy old files or computers
- The data controller (owner of the data) and the processor (anyone using or viewing the data) share liability, so be clear what standards you want your third parties to be working to
- Subject access requests, where individuals can request all the data you have relating to them, will be free and must be responded to within 30 days
- The ICO AND those affected must be informed of a serious security breach within 72 hours and all breaches must be logged
But behind these headlines lay a number of nuances which our experts were able to shed light on, including whether handing over a business card was equivalent to consent, what to do about existing mailing lists and whether it’s appropriate to keep a CV ‘on file’ for future consideration.
Paul Lawrie, HR Consultant at HB&O, explained the importance of GDPR when it comes to staff. “Companies need to look at the personal data coming into their business and how it is stored and used. For example, what do you do with the unsuccessful CVs and notes following interviews? How long do you store disciplinary information on file? And how confident are you that you could lay your hands on all the relevant documentation were you to face a subject access request from multiple members of staff?”
Paul advises clients on how to improve the flow of sensitive HR data through their business and shared some of his top tips on keeping on top of the personnel data challenge. “Fundamentally, businesses need to be clear about what information they actually need rather than hanging on to CVs or interview notes that may go back decades. However, some exceptions apply, particularly when it comes to pension records or historical safety data so it’s important to seek specialist advice before switching on the shredder,” Paul advised.
Associate Director of Emms Gilmore Liberson, Matt Jackson, took delegates through some practical steps to take to prepare for GDPR, from completing a data audit and reviewing your supply chain to training your staff and engaging with your clients before the new regulation comes in.
“Now is an ideal time for companies to reconnect with their clients and seek confirmation that they still want to receive marketing information from them where consent is not already explicit.” Matt advised.
“From May 2018, any lists without that consent become useless, but by taking action now, clients can see you’re taking the new regulations seriously. But don’t be tempted to use this as an excuse to contact people who have previously unsubscribed from your list, otherwise you will find yourself in trouble with the Information Commissioner,” he added.
Our experts all agree that the most important message for businesses is to start preparing for GDPR now, seeking specialist input where needed. That way, you stand the best chance of complying by May 2018 and implementing processes which will help ensure you maintain compliance in the long term.
Another chance to hear from the experts
In response to demand, HB&O will be holding another free GDPR seminar in partnership with Risk Evolves and Emms Gilmore Liberson in late January. If you would like to attend, please register here.