Blog: One year on but GDPR duties continue

Gillian MacLellan

Thankfully the care and maintenance program is not as time consuming as the initial implementation project.

Putting in place the new processes required to meet the GDPR standards involved a significant outlay of time and resources, particularly for HR teams who hold large amounts of unstructured employee data. Keeping on top of the information minefield that is employee personal data also requires systematic review of procedures to pick up when the system is not working. You don’t want any gaps in your process to be exposed by a data breach or an investigation by the Information Commissioner’s Office (ICO).

The real test about how well an organisation has embedded its approach to GDPR is whether data management has become part of the day job for everyone and not just the Data Protection Officer. Essentially this is about developing a culture and a mind-set where data protection compliance is filtered into business as usual decision making. Carrying out spot checks on how data protection processes are working is one way of assessing compliance. Here are some areas where it would be worthwhile doing some detective work.

Record keeping and retention

Organisations with more than 250 employees must now document all their processing activities, in addition to a variety of other issues including retention periods, data breaches and records of consent. If the ICO were to ask your organisation to disclose your documentation – what would your response look like?

Data Subject Access Requests (DSARs)

We are seeing an increase in employees making DSARs, which can be incredibly onerous for employers to deal with. Making this process as slick as possible is time and money well spent. Developing a standard process, including tracking existing and historic DSARs (including when responses are due), training a team to deal with DSARs and reviewing the process to continually build in learnings are all essential steps. In our experience, DSARs are like buses; none for ages and then they all come at once. Organisations must create capacity or an overflow strategy to resource multiple DSARs and be aware of the new tighter timescales for responding to one under the GDPR (within one month, extendable to three months in certain limited circumstances).

Employee privacy notices

After investing time producing a shiny new employee privacy notice, employers may be rather disappointed to know that this is supposed to be a living document rather than something that just gathers dust. It is to be expected that as employers go about their daily business, processing activities which were not envisaged will come to their attention and at this point it is important to update the privacy notice; this is not an admission of failure!

Changes must be notified to employees whenever a “substantive or material” change to the various key requirements takes place. The European Data Protection Board Guidelines on Transparency suggest taking into account the impact that such a change would have upon the data subjects and how unexpected/ surprising it would be to them.

Data breaches

Data breaches can come in all shapes and sizes, normally through human error. While the lap top left on a train is an obvious example, remember that a personal data breach can be much less dramatic, like sending an email containing personal data to the wrong person, and can also occur internally. Although an internal data breach might mean that the potential damage is easier to contain, employees should be aware that serious repercussions can still follow. In addition to the fines that can be imposed on an organisation for a data breach, the individual who is responsible can also face criminal prosecution.

Employees need to be informed that they should only access files where they are entitled to do so. The ICO website reports on the case of a trainee medical secretary at a GP surgery who decided to access medical records of patients for whom she had no valid reason to look at. The secretary was fined under the old DPA 1998 after she admitted unlawfully reading the records of 231 patients in two years including of colleagues, their families, her own relatives, friends and members of the public.

If your review discloses gaps then don’t ignore them, make sure you take action, train staff and change processes. Think of GDPR compliance like painting the Forth Road Bridge: a job that is never finished!