It’s been a while since I found time to write. Things are crazy busy. Both in and out of work but today felt a great day to take the time to focus on a topic that is dominating much of my time right now. Get ready for it. It’s another sexy subject. GDPR.
I heard the groans from here. I seriously know how dull this topic sounds and to be really honest, it doesn’t just sound it. It is! There’s not much sexy about data protection regulations but believe me you don’t want to ignore this one. Now I say that like that is new news and I know to many many people reading this you will be thinking goodness me tell me something I don’t already know. But…..I have spoken to so many people recently that have not been aware of this or have thought it doesn’t apply to them so I did want to write a short piece.
News flash. GDPR affects anyone holding data on EU citizens and data is anything that is identifiable back to an individual and those individuals have the right to know what you are collecting about them and how you intend to use it. So…..you may not only have data about your customers to consider but if you employ people you absolutely have their data to consider. This extends to applicants, volunteers and ex employees too. My focus is on the data you hold about the latter group.
Regardless of how much you know though GDPR comes in to force on the 25 May 2018. Im not going to witter on at length about this but I did want to hopefully spark curiosity with those that currently know very little but may now want to know more.
Did you know that you can no longer rely on the data protection paragraph in your employment contracts for the consent to hold your employees data? The reason being, consent must be unambiguous and freely given. Unambiguous means an employee should be crystal clear about each piece of data that you hold about them. But you don’t need to panic about that as a few actions can rectify this no problem. Those few actions could take you longer the more employees you have and the best place to start is with a data audit.
You basically must have a valid lawful reason for processing personal data.
- Legitimate interests of the data controller
- Necessity for the performance of a contract
- Compliance with a legal obligation
- In order to protect the vital interests of the data subject
- Necessity for the performance of a task
You should also have a privacy notice for applicants and employees and your data protection policy should be updated to reflect the GDPR changes. Your existing policies may need updating and your retention schedules could need to change or if you don’t have retention schedules then now is the time to put them in place.
There are numerous other things to put in place including being aware of how to report any breaches, dealing with subject access requests and you may want to consider how you will train your team on the new legislation.
I appreciate you’re busy, you’re trying to run your business. I’m here to help should you need it and I hope the blog helps you to take positive action today. Don’t let the dull sounding complex legislation scare you in to doing nothing!
Focus on where you want to go. Not on fear. Anthony Robbins
Love Laura x