Welcome to our GDPR page !
The General Data Protection Regulations
We've given a lot of thought about how best to support our clients through the introduction of GDPR. If you've had any exposure to this topic you will realise that compliance is not simply a matter of a new policy and a quick memo to staff. The reason is... Accountability.
Accountability is one of the new data protection principles - it requires you not just to be compliant but also to be able to demonstrate compliance. This requires a variety of practical steps involving:
reviewing the data you collect - what is it, is it needed, when do we delete it, and do we have a lawful basis for processing?
protecting the data - who has access and how is access monitored and controlled?
having procedures to deal with new data subject rights such as erasure, portability, rectification;
ensuring your people understand and respect the new regulations.
The programme set out in these pages provides a structured approach to achieving compliance efficiently and with as little stress as possible. We can't do all the work for you unfortunately but the tools provided will simplify the process and a documentary record that the essential tasks have been completed.
First a word of reassurance: a whole industry has sprung up around GDPR aimed at scaring you into buying expensive and probably unnecessary consultancy. The potential financial penalties are, indeed, eye-watering but there's no need for panic. The ICO recognises that the measures you are required to take should be proportionate having regard to your resources. They have also made it clear that they intend to soft-pedal on compliance in the first couple of years. So long as you have made reasonable efforts to comply and are working through a plan, disaster is unlikely to result.
So, where to start?
We recommend that you follow the steps set out below in the order listed and call us or email in the usual way if you get stuck.
1. Read our GDPR Overview
This provides a comprehensive introduction of GDPR. It is designed to illustrate the main principles and the steps that should be followed for initial and ongoing compliance. (You can probably skip this step if you have already undertaken GDPR training or read up on the subject.)
2. Complete the HR Data Audit
The Audit takes the form of an online questionnaire accessible from the link below. The Audit will identify and define:
who is responsible for data security;
the range of HR data collected and why it is required;
the legal basis for processing;
how the data is stored, controlled, shared and deleted;
who has access - internally and externally;
how you train your people.
It will also walk you through privacy notices, data subject rights and identify the policies to be updated.
At the end of the questionnaire you will have:
collected the information necessary to demonstrate compliance;
identified any tasks required to achieve compliance.
When you submit the questionnaire a report is automatically generated that records your answers and evidences the work undertaken. A copy is automatically sent to us so that we can design policy and contract updates based on your answers
The Audit is lengthy and you may not be able to complete it at one sitting. No problem. Use the Save button to record your work. A link will be presented which you can cut and paste to take you back when you are ready to resume.
3. Edit and complete the draft Data Protection Policy/Privacy Notices
If you are a current Staffcraft or HRinPractice client the Data Protection Policy replaces existing versions. This policy incorporates the Privacy Notice required for employees/workers/contractors. A separate Applicant Privacy Notice should be used when recruiting.
The information you need to complete these policies is collected in the Audit and can be used to complete these documents in draft.
When you have finished, forward the drafts to us for review and incorporation in your Employee Handbooks and recruitment documentation. Here's the links to these polices.
Most existing contracts will rely on consent as the basis for processing. Consent should now be the last option selected due to the complications that consent creates and the availability of better alternatives. The new bases for processing are communicated in your new Data Protection Policy and associated materials but this needs to be incorporated into contracts. The Contract Variation template below should be used for this purpose.
4. Issue Updated Policies
A number of other polices will require updating to reflect the GDPR requirements. These will be identified from the Audit and updated by your Adviser as necessary. You will need to distribute updated polices/Handbook once received.
4. Complete our Data Processing Agreement
As you will have found from the HR Data Audit you need to identify external organisations that process data on your behalf. We are one of these!
Please review the draft agreement, sign it and send it to us for counter-signature and return. Select either the Staffcraft or HRinPractice as appropriate.
5. Further study
This programme will help you achieve basic compliance but you may need further information on certain areas. We are always available of course, or you can refer to the additional resources below:
Comprehensive guidance from the ICO on all aspects of GDPR
Simplified guide covering the basic principles
Useful industry-based guidance on CCTV and GDPR