CEO Confidential

How CEOs can prepare their business for the new General Data Protection Regulation

The new EU General Data Protection Regulation (GDPR) comes into force in under a years time and yet many companies are not prepared and lack understanding about how the Regulation will affect them.

XpertHR research carried out in May suggests that the vast majority of HR professionals do not have a good understanding of the upcoming GDPR, with 51% of respondents describing their level of understanding as low, and 45% saying they had “some” understanding. Only 4% of respondents said they had a good understanding of GDPR requirements.

It is imperative business leaders understand the implications of the new law which comes into effect on 25th May 2018 or they are putting themselves at risk of heavy fines, as well as potential reputational damage. The GDPR will require substantial investment in terms of money, organisational resources and management time – so employers need to get the ball rolling to ensure they are compliant on time.

What exactly does the new Regulation entail?

The new regulation replaces the Data Protection Act 1998 in the UK and marks the start of a radical new data protection landscape, with significant penalties for non-compliance.

The GDPR will introduce a system of “data protection by design and default”, requiring organisations to take data protection risks into account throughout the design and operation of all policies, processes, products and services.

While employers currently typically rely on employee consent to process their data – often given via a broad clause in employment contracts – under the GDPR this will be much harder and they will generally have to find an alternative basis. In addition, employers will be required to keep extensive records, including the type of employee data they process and the reasons for processing it.

Employees’ right to receive a copy of all data held on them by their employer will also be strengthened, with fees for such data subject access requests removed and a shortened time frame for employers to provide the information.

The maximum penalty for breach of the data protection principles will be increased to 20 million euros or 4% of worldwide turnover if this is higher – up from the current ceiling of £500,000.

What can business leaders do to prepare?

It is vital for CEOs to secure board and senior management level buy-in now to effect compliance across the organisation within the required time frame. They should identify key stakeholders and ensure that the organisation has an executive sponsor on board to support the project through to May 2018 and beyond.

Employers will need to allocate sufficient resources to ensure compliance with the GDPR, considering the size of their organisation, the types and volumes of data it processes and the level of risk. There is no “one-size-fits-all” solution and the organisation’s structure and culture will play a large part in how it implements its compliance programme.

Cross-functional team work will be crucial and organisations will need their legal, HR, IT and compliance teams to take an integrated approach. They will need to bring together a team with the necessary skills and expertise to develop and implement a compliance programme, setting out the tasks, responsibilities and reporting lines of the individuals involved.

Once the team is in place, it will be important for it to work with each business area to identify the specific privacy risks to which the organisation is exposed, and how the organisation can mitigate or avoid them. The team should carry out an initial review of existing data processing practices against GDPR requirements and identify gaps between current practice and GDPR requirements and assess the level of privacy risk.

Once an organisation has conducted this initial audit and risk assessment, the next step is to develop and implement a GDPR compliance programme, prioritising compliance activity and remedial measures based on areas with the highest risk and most significant impact. Organisations may need to adjust their initial estimate of time frames once they have started their compliance efforts and have a better understanding of how the GDPR requirements relate to their data processing practices and IT systems.

The implementation of a structured programme will assist in mitigating the risk of a fine and reducing the severity of any infringements. Employers should aim to be compliant by 25th May 2018, but this may be challenging in practice, so they should focus on the most important and riskiest areas first.

XpertHR has produced a guide providing an overview of the GDPR changes relevant to HR and the strategic considerations for organisations developing a compliance programme. The guide can be accessed here.

Have you read?

Leave a Reply

Follow us on Facebook, Twitter, Instagram, and Linkedin to never miss an update from the CEOWORLD magazine.
Jo Stubbs
Jo Stubbs is head of content for the UK XpertHR group, which provides comprehensive information on compliance, good practice and benchmarking. She has an LLM in employment law in practice.
Share via