The countdown has begun to the new EU General Data Protection Regulation (GDPR), which comes into force on 25th May 2018, but many companies are not prepared and lack understanding about how the Regulation will affect them, explains Jo Stubbs.
XpertHR research[i] carried out in May suggests that the vast majority of HR professionals do not have a good understanding of the upcoming GDPR.
Some 51% of respondents described their level of understanding as low, with 45% saying they had "some" understanding. Only 4% of respondents said they had a good understanding of GDPR requirements.
Given there is less than a year to go, it is imperative employers understand the implications of this new law or they put themselves at the risk of heavy fines, as well as potential reputational damage.
The GDPR will require substantial investment in terms of money, organisational resources and management time - so employers need to get the ball rolling to ensure they are compliant on time.
What exactly does the new Regulation entail? It replaces the Data Protection Act 1998 in the UK and marks the start of a radical new data protection landscape, with significant penalties for non-compliance.
The GDPR will introduce a system of "data protection by design and default", requiring organisations to take data protection risks into account throughout the design and operation of all policies, processes, products and services.
While employers currently typically rely on employee consent to process their data - often given via a broad clause in employment contracts - under the GDPR this will be much harder and they will generally have to find an alternative basis.
In addition, employers will be required to keep extensive records, including the type of employee data they process and the reasons for processing it.
Employees' right to receive a copy of all data held on them by their employer will also be strengthened, with fees for such data subject access requests removed and a shortened time frame for employers to provide the information.
The maximum penalty for breach of the data protection principles will be increased to 20 million euros or 4% of worldwide turnover if this is higher - up from the current ceiling of £500,000.
What can employers do to prepare?
It is vital for employers to secure board and senior management level buy-in now to effect compliance across the organisation within the required time frame.
They should identify key stakeholders and ensure that the organisation has an executive sponsor on board to support the project through to May 2018 and beyond.
Employers will need to allocate sufficient resources to ensuring compliance with the GDPR, considering the size of their organisation, the types and volumes of data it processes and the level of risk.
There is no "one-size-fits-all" solution and the organisation's structure and culture will play a large part in how it implements its compliance programme.
Cross-functional team work will be crucial and organisations will need their legal, HR, IT and compliance teams to take an integrated approach.
They will need to bring together a team with the necessary skills and expertise to develop and implement a compliance programme, setting out the tasks, responsibilities and reporting lines of the individuals involved.
Once the team is in place, it will be important for it to work with each business area to identify the specific privacy risks to which the organisation is exposed, and how the organisation can mitigate or avoid them.
The team should carry out an initial review of existing data processing practices against GDPR requirements and identify gaps between current practice and GDPR requirements and assess the level of privacy risk.
Once an organisation has conducted this initial audit and risk assessment, the next step is to develop and implement a GDPR compliance programme, prioritising compliance activity and remedial measures based on areas with the highest risk and most significant impact.
Organisations may need to adjust their initial estimate of time frames once they have started their compliance efforts and have a better understanding of how the GDPR requirements relate to their data processing practices and IT systems.
The implementation of a structured programme will assist in mitigating the risk of a fine and reducing the severity of any infringements. Employers should aim to be compliant by 25th May 2018, but this may be challenging in practice, so they should focus on the most important and riskiest areas first.
XpertHR has produced a guide providing an overview of the GDPR changes relevant to HR and the strategic considerations for organisations developing a compliance programme. The guide can be accessed here.
Jo Stubbs is head of content at XPertHR
Insurers should take inspiration from start-ups to communicate more effectively with their customers, Rhys Williams strategy director at Quiet Room has urged.
Debbie Kennedy, group head of protection strategy at Royal London, was named 'Personality of the Year' at the Protection Review 2017 awards last night.
Aviva has sold Friends Provident International Limited to a subsidiary of International Financial Group Limited for £340m.
UnderwriteMe's Underwriting Rules Engine has been chosen by insurers in Australia and Asia, along with a second partnership in Ireland.