According to the latest Global Forensic Data Analytics Survey, only a third of businesses (33%) have their plans in place to comply with the GDPR. It appears that businesses in Europe have embraced it more readily with 60% of those questioned reporting that they have a compliance plan in place. The Big Four firm said more work was needed to be done to improve readiness in other markets. In Asia-Pacific, only 12% of businesses believe they are ready for GDPR. The Americas (13%) and Africa and the Middle East (27%) also displayed low levels of readiness in the research. The UK’s lack of preparedness is echoed by research from the Institute of Directors. A survey at the end of 2017 found that a third of directors had not heard of GDPR, while four in 10 were unaware of how it would affect their business. The EU General Data Protection Regulation replaces existing data laws on 25th May 2018. The wake-up call to step up preparations comes as evidence mounts that many organisations in the UK are inadequately prepared. Not least, as the new rules include pressure on companies to tangibly prove they take stringent data privacy and security measures. According to Tailored Data Solutions‘ Mike Lenard, some organisations are still in the dark that the new laws even apply to them. He said: “At the end of last year I spoke at an Executive Leaders Network about the work needed to meet compliance to the GDPR. There were around 300 people at the event, from a wide range of sectors, including CEOs, data protection officers, company secretaries, lawyers, IT and marketing teams. On speaking to them, I discovered that around 80% of the delegates were not ready to deal with the new legalisation. Perhaps most worrying, there were still pockets of opinion that the GDPR was not their problem. “Has the situation improved drastically since then? Recent reports suggest quite the opposite.” Lenard added: “This is partly because there is still a lingering misguided view that the new laws don’t apply in Britain. In fact, the GDPR has worldwide impact on any organisation that holds data on EU citizens. “Ignoring it, or falling short of new data management and control rules, could prove fatal. Noncompliance fines could amount to as much as €20 million or 4% of annual turnover.” When the GDPR goes live, it will dictate how organisations gather, store, use, encrypt and dispose of data. Its aim is to address a 475% increase in data breaches (between 2015 and 2016) that has badly shaken consumer confidence. To support organisations to meet GDPR compliance in the coming weeks, Tailored Data Solutions is offering a reduced rate for its GDPR consultancy services. This includes a company visit and a robust set of recommendations to help meet the deadline, opening the door to greater clarity and training to manage data more effectively. How HR can prepare While the GDPR builds on many of the principles of the Data Protection Act 1998 (“DPA”), there are new elements, as well as some practices which will need to be done differently. Penalties for non-compliance with the GDPR will also be much higher with fines set at the greater of 20 million euros or 4% of global turnover, so it is important to get it right. The impact of this cocktail of change will be a lot of work for HR departments. As a minimum, we expect HR teams to be responsible for undertaking the following: a data inventory and mapping exercise to understand what data they have, how it is used and what third parties are involved in processing; a gap analysis to work out what compliance steps are needed; a review of privacy policies, data protection policies and incident response plans; drafting revised staff data protection policies and communications monitoring policies; a review of recruitment and selection process and the use of data in these processes; a review of contracts of employment and policies and how the business uses employee data; a data privacy impact assessment; training staff on data protection; and if the business has global offices and personal data is commonly sent internationally these processes will need review. So how do you approach this in HR? The first step is to get support from colleagues in legal, compliance, marketing and commercial teams as the issues does not solely impact on employee data. The second step is to carry out an audit in order to understand what employment data your business has, how it is used, where it is held and whether any third parties are involved in processing the data. Once these initial tasks have been performed HR should: review policies and procedures currently in place and consider how they need to be amended going forward, including data protection policies, communication mentoring, recruitment and selection; amend data protection clauses in employment contracts; provide training on data protection to work force; consider how to transfer data outside the EEA; and consider how to manage data subject access requests under the new regime. The biggest challenge is making sure organisations do not leave it too late to get ready for the new regime. The key message is take action now, consider how the GDPR will impact your organisation and take advice from your legal and compliance advisers if needed. Post navigation Expert View – How can AI transform employee benefits? Who are the happiest people at work?
