Governance, Risk and Compliance Blog

How to prepare your employees for GDPR

Posted by Emily Hill on Fri, May 12, 2017

Chances are that if you asked your Leadership, Marketing, HR or IT Director what they're doing to prepare for the new EU General Data Protection Regulation (GDPR), you will open up a can of worms. 

Research shows:

  • 20% of IT decision-makers in the UK are still unaware that GDPR even exists. Trendmicro.
  • Almost one-third (32%) of people surveyed believe the chief information officer is responsible for GDPR-related changes, 21% the chief information security officer, 14% the chief executive officer, and 10% the chief data officer. Centre for Information Policy Leadership (CIPL).
  • Only 56% of directors confirmed that they "have a formal cybersecurity strategy", let alone a GDPR strategy. Institute of Directors (IoD).

Lack of awareness, transparency and clarity around GDPR is causing a lot of confusion.

Who is responsible for GDPR? Who does it impact? How does each employee need to approach the new requirements to stay compliant?  

GDPR series - how to prepare employees.png

 

 

 

GDPR and data privacy compliance are closely related to a company's data strategy, big data and analytics, and data-driven innovation. It's the responsibility of every employee. 

 

To help you develop a plan for engaging your employees, we've separated your different stakeholder groups and set out their key requirements. Use this plan as a starting point, and develop it in any way to suit your own organisation.  

 

Stakeholder group  How you're affected What you must do
Leadership 

Fail to conform to GDPR and you could be fined up to 4% of your annual turnover and face considerable damage to your brand.

Invest in training your organisation and providing the time and resources needed to make the changes.

If you have 250 or more employees, you must keep auditable records of how you process personal data.

Ensure you keep reliable records of all your data-processing activities.

IT teams    

All your processes and procedures for managing data must include data protection by design.

Secure and encrypt all data, and track who's allowed to use or create new copies of data records.

Data subjects are entitled to see any data you have saved about them.

Ensure you can make all information available in a format that's clear and understandable. If a customer wants to move to another company, you should be able to give them their data in a portable format.

If your systems are hacked, data subjects have the right to know whether their data has been stolen, and when this happened.

If there is a personal-data breach, you must notify the supervisory authority (the main data-protection regulator yet to be determined) no later than 72 hours after becoming aware of the breach.

Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed.

Implement a strong policy for how and when you will delete data. You may need to consider what data you need to keep for archiving purposes.

Marketing teams You can no longer send marketing emails without the recipient first having opted in to receiving them.

Every one of your data subjects must acknowledge that they're willing to be marketed to. You cannot accept silence as consent, pre-ticked boxes are banned and you need to specify cookies policies more clearly.

Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed.

Avoid collecting data for unnecessary or frivolous reasons, and consider whether you really need to know phone numbers, income, working titles etc.

HR and customer
accounts teams
If you're a public authority, or a private company that regularly monitors or processes lots of sensitive data, you'll need to appoint a data protection officer.

Appoint a data protection officer to (1) advise on GDPR obligations; (2) monitor compliance; and (3) liaise with the data protection authority.

 

There are tighter restrictions on how you store and process data on your own employees, and employees can withdraw their consent to this processing at any time. Consider what data you store on your employees and how you obtain their consent, and have systems in place for employees to withdraw their consent.

 

What you should do now 

After your initial stakeholder meetings, we would recommend sending your stakeholders our GDPR Quiz which can be found on our toolkit to test how well they understand their GDPR requirements. 

 EU GDPR

 

Tags: EU GDPR