Kate Wyatt reminds charities that the clock is ticking on GDPR
With new data protection rules due on 25 May, charities’ HR teams have little time to get up to speed on their new obligations. Breaches could expose them to fines and reputational risk.
The new law – the General Data Protection Regulation, or GDPR – involves two tasks for HR teams.
Firstly, they have to deal with data they hold on employees. Secondly, they should train staff to correctly handle data on service users, volunteers, donors, suppliers or others.
There’s clearly a lot to do here, but there’s plenty of help available
Kate Wyatt
Know your data
HR departments generally know what data they hold on people, have rules for managing it, and know how to access it.
Therefore, auditing the personal and sensitive personal data they handle may be an easier task for HR than for other teams.
In our experience, an area where charities’ HR teams have a significant GDPR compliance challenge is their “lawful basis” for holding personal data.
Under the current rules, employers commonly rely on employees’ consent to hold data – probably via a consent clause in their contract. Under GDPR, this is unlikely to be sufficient, and they’ll need to establish new grounds for handling it.
Generally, charities will easily establish an alternative lawful basis for holding employee personal data – for example, to meet their legitimate needs as employer. But they need to review contracts, see if they’re relying on consent, identify a different lawful basis and if so, update contracts.
Personal data held on job applicants will also need to be audited – remembering that the lawful basis for holding applicants’ data is not going to be the same as it is for current employees.
For former employees, HR teams should audit what data they hold, looking at their basis for holding it, how it is held, and for how long.
Staff should be updated on changes to data protection policies – not just to assure them about HR compliance with the GDPR, but to bring them up to speed on their responsibilities when handling other people’s data on behalf of the charity.
Dealing with requests and breaches
Another challenge for charities is going to be the expected spike in “subject access requests” (individuals requesting to know what data is held on them) from 25 May onwards. We recommend developing pro forma responses to streamline the process.
Another process to develop is how to monitor compliance with the new law, and report breaches to the regulator (which will be compulsory within 72 hours of an organisation discovering it).
There’s clearly a lot to do here, but there’s plenty of help available – from online guides to tailored advice on exactly what approach to the new law would work best for your organisation.
We advise most charities to designate a data protection manager – even if a formal data protection officer is not required - someone to drive audits and reviews, galvanise everyone into compliance, and identify what outside help might be useful. You can also refer to this useful checklist.
Daunting this task may be for anyone, but charities will generally benefit from understanding and managing data better, and it will help to safeguard crucial relationships with staff, volunteers, users, donors and other stakeholders.
Kate Wyatt is a Partner in Lindsays Employment Law team.