On 25 May 2018 the General Data Protection Regulations take effect. This will have a significant impact on every business within the United Kingdom. It is important to take steps now before implementation so you are ready.
At least one of these must apply whenever you process personal data. There may be more than one. Select the one which is appropriate to the activity you are doing: Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Individuals also have the right to have access to their personal data, the right to rectification, the GDPR gives individuals the right to have personal data rectified, personal data can be rectified if it is inaccurate or incomplete.
The GDPR contains explicit provisions about documenting your processing activities. You must maintain records on several things such as processing purposes, data sharing and retention.
The very first step is to carry out an audit. Attached is a template to help you identify what type of personal data you are holding in respect of an employee but you can also use this template as a guide to other information about customers that you are also holding.
The GDPR sets out information which you are obliged to inform those of how you will use personal and sensitive data. This is called a “fair processing notice” also known as a “Privacy Notice” to the employee setting out what will happen to their personal data?
Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training.
Once you have carried out an audit the next step is to consider whether you are complying with the GDPR principles in order for you to process this data lawfully. The GDPR sets out a number of principles with which data controllers and processors must comply.
An employer needs to identify who the controller of data is. Within the Notice, the employer is required to set out what Principles the Data Controller and Data Processor must comply with.
Whenever a controller uses a processor it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities.