GDPR: last-minute tips

Most organisations store personal data - and sometimes sensitive personal data - in the course of their business. It is therefore crucial that they comply with the changes to the new data protection legislation. One of the major changes introduced by the new General Data Protection Regulation (GDPR) is that of accountability. Organisations must not only be compliant with the new data protection principles, but they are also under a positive obligation to demonstrate compliance.

Personal data and sensitive personal data - what is it?

In its most simplified meaning, 'personal data' is any information relating to an identified or identifiable person. This can include an individual's name, date of birth, address and photograph.

Some organisations, e.g. those in the life sciences sector, are also likely to hold significant amounts of 'sensitive personal data' such as:

• genetic data – relating to inherited or acquired genetic characteristics, including biological samples
• biometric data – relating to an individual’s physical, physiological or behavioural characteristics
• data concerning health – both physical or mental health and the provision of healthcare services.

Lawful basis

Under the GDPR, data must be processed lawfully, fairly and in a transparent manner. The starting point will be for you to undertake a data audit and data mapping exercise in order to ascertain the data you are collecting, processing and sending out not only about your clients, but also about your employees and job applicants.

A legal basis that many organisations will seek to rely on is consent. However, consent can no longer be relied on for everything; for example, it is highly unlikely in an employment context that you will be able to rely on consent due to the imbalance of power between the employee and the employer.

It's worth considering whether there are more appropriate grounds for processing their personal data, for example, to comply with a legal obligation or for performance of the contract.

Privacy notices

Following your data mapping exercise, you should look to implement privacy notices in order to inform clients/customers about the data you are holding about them and what you are doing with that data.

You should implement separate privacy notices for employees and for job applicants, whose data is likely to be different to that collated for clients/customers, and on different legal bases. There is no 'one size fits all' approach when it comes to drafting these privacy notices and it will depend on the results of your data mapping exercise.

Update contracts and policies

You will also need to look at updating employment contracts and other policies within your staff handbook, such as the data protection, IT & email, social media and disciplinary policies. You will also need to consider updating commercial contracts with third parties who you share data with, for example an external payroll organisation in respect of employees.

Staff training

Spending time drafting, updating and implementing GDPR-compliant documents is all well and good, but you must also be able to demonstrate compliance 'on the ground'. You should raise awareness amongst your staff of the changes of the law to ensure that they are handling and storing data securely.

Employees involved in collecting, processing and sharing personal and sensitive personal data must be made aware of how the changes affect their daily tasks and how they can maintain compliance on behalf of their organisation.