What you need to know about GDPR

What is the GDPR?

Coming into force on 25th May 2018, the GDPR replaces the Data Protection Act 1998, and is designed to keep pace with our data obsessed society. There has been much hype surrounding the changes and the significant steps that may be needed to comply. 

The EU’s GDPR portal confirms the changes to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy”.

What will change?

Our progressively virtual world has led to personal details being shared ever more widely. The GDPR seeks to address this by awarding increased power to data subjects (the individual) to ensure they are given more information about how their data is processed.  

There are a number of key changes. For example:-

• Data Processors will have direct obligations now. Current laws apply only to Data Controllers.
• Organisations must report any data breach within 72 hours if it is likely to, “result in a risk for the rights and freedoms of individuals”.  This must also be communicated to the affected individuals without undue delay.
• Individuals will have enhanced rights, including to access their data, to rectify inaccurate data held about them and, in certain circumstances, to restrict processing of their data and to request its deletion.

What does this mean for health and safety systems?

Health and safety departments typically hold a huge amount of personal data. Often, such data is highly sensitive. Therefore, those in health and safety departments must ensure that their systems form part of the overall review of changes being made within their organisation to achieve compliance.

What sort of personal data will a health and safety department hold?

Health and safety departments are likely to hold a significant volume of potentially sensitive personal data, including:-

• Names, addresses and other contact details of employees, contractors, consultants and others.
• Occupational health records.
• Internal investigation reports.
• Accident and RIDDOR reports.
• Witness statements following incidents.
• Details of employee complaints.
• Insurance claims information.
• Certain risk assessments, for example for pregnant or young workers or those with some disability or impairment.

What should you do?

Health and safety departments should:-

• Review where you might find personal data within the health and safety system. Consider both hard copy and electronic sources.
• Document what type of personal data you hold and where it is stored.
• Think about why you hold the data and what you do with it; do you really need it? Draw on your risk assessing skills to help you determine what data you need to store and how long for (when balanced against the risk inherent in holding personal data). This should feed into the wider review the organisation must complete.
• Check you have a lawful basis under GDPR for processing each type of personal data that you hold.
• Ensure that appropriate security measures are in place to protect the security, confidentiality and integrity of the data. Restrict access to those who need it.
• Look at whether you share data and if so, who with? Where you are sharing data, for example with an occupational health provider, have you taken steps to ensure their compliance? Organisations must have certain contractual provisions in place with such third party providers.
• Review the organisational changes to prepare for GDPR; have you fed into these and will new proposed systems work for the health and safety team?

What if things go wrong?

A business that fails to comply with the GDPR could be liable for significant fines of up to EUR20m or 4% of their global turnover (whichever is greater) for certain breaches. This provides a similarity to the health and safety sphere where fines have rocketed since the introduction of new Sentencing Guidelines in 2016.

Rhian Greaves is a director specialising in regulatory crime, Amy Chandler is a partner in the commercial services team