It seems that many UK businesses are far from being GDPR ready – but if they don’t get ready in time, they risk fines that could sink them.
With just a year until the stringent privacy regulations come into force (May 25 2018), significant numbers of organisations have let this critical legislation drop off the planning agenda, believing, wrongly, that the new European regulations won’t affect them.
HR software provider Ciphr, whose clients are generally small to medium sized, are concerned that businesses have yet to make sufficient plans – and expect HR involvement in GDPR preparations to be vital. The company has published a white paper, which can be downloaded here: http://www.ciphr.com/gdpr/
Chris Berry, Ciphr’s CEO, says,
“GDPR puts personal privacy ahead of business interests. This has a huge impact on all organisations, not only in terms of the client data they manage, but more importantly, the personnel data – which could be quite sensitive.
“The HR team will have an important role to play in protecting the data held of employees, leavers and job applicants.
“Any business, no matter how small, will be expected to comply. The government has confirmed that Brexit negotiations will not affect GDPR compliance.
“Given the implications to UK organisations, this is not something HR professionals can ignore. The business will be held accountable if things go wrong.
“It’s essential that HR departments start thinking about what’s needed and ensure provision is made to meet the new requirements.”
Under the General Data Protection Regulation (GDPR), new fines will be as high as 10 million euros or 2% of the offending company’s global turnover. And for more serious violations the penalties double: 20 million euros or 4% of global turnover – whichever is greater.
Despite the threat, a Crown Records Management survey found that a quarter of businesses have cancelled their GDPR preparation. It is anticipated that HR Managers will play a significant role in helping businesses meet the new requirements. Chris Berry says:
“GDPR will fundamentally change how organisations handle their employees’ personal data. The main changes are around the way staff can access, correct, delete and transfer their details.
“For those working in HR, this means a rethink about how personal data is collected, used and kept, from handling recruitment and employer references, to monitoring staff performance and handling records.”
Key changes will include making sure that permission has been opted-into, and not assumed. Also, ensuring that when consent is withdrawn, the affected data is deleted appropriately, and safeguarding data.
Added to this, new accountability measures will make it important that systems are in place to show that the regulations are being met.
Ciphr’s white paper shares 10 ways that HR teams can start getting GDPR-ready.
1. Start the Discussion
2. Assess your Current Compliance
3. Review Privacy Notices and Policies
4. Educate Yourself on the Requirements
5. Consider Consent
6. Put Processes in Place
7. Be Ready to Respond Swiftly
8. Consider appointing a Data Protection Officer
9. Develop a Data Breach Response Programme
10. Consider a Self-Service System