Organisations and employers have been talking about GDPR for months now. However, with the 25 May 2018 deadline for GDPR compliance having passed, staff data protection and staff training may have been overlooked as employers urgently prioritise the control and processing of external data. No doubt many staff are still unaware of their responsibilities as data handlers – and their rights as data subjects.
It’s important, however, that employees understand the two key ways in which the new data protection regulations affect them, and that they receive staff training if required.
First, in their everyday roles and responsibilities they are likely to be processors of personal data, whether that’s customer, supplier, partner or even fellow staff data. Second, the new data protection regulations will change how their employers can collect and process personal data specific to the employee themselves.
Employees who process personal data as part of their role should be fully up to speed on their organisation’s GDPR compliance programme and how it affects them in terms of how they collect, store, access and process personal data. And bear in mind that ‘personal data’ can range from a personally identifiable IP address to ‘sensitive data’ such as medical notes to ‘special category’ data such as biometrics.
Staff should have a clear understanding of their organisation’s data protection policy and access to all other internal, related data policies. Their own role and responsibilities should be clearly defined, and they should only ever process data in line with their specific responsibilities.
It’s important that employees know who’s responsible for data protection within the organisation. That could be someone with a legal or policy background within the business, or a newly appointed Data Protection Officer (DPO), who’s responsible for handling GDPR compliance.
If employees want to introduce new systems or processes, they’ll need to run these by their DPO and either instigate or escalate a Data Protection Impact Assessment (DPIA).
Staff also need to understand the process to follow if they discover a potential data breach, so their organisation can, if the criteria are met, flag it to the ICO within 72 hours, advise individuals whose personal data is affected and avoid a hefty fine for non-disclosure.
Finally, it could well also happen that employees end up the first port of call for a Subject Access Request (SAR)from customers or even the colleagues they manage, as individuals seek to access, correct, delete or transfer their personal data. Again, your staff will need to understand how to manage or escalate this within the business.
In all these areas, focused staff training on GDPR compliance is essential. Similarly, technology or systems training may be required. For example, staff training is key if the business plans to introduce new systems to ensure GDPR compliance for, say, IT, HR, marketing or customer relations teams.
Employees’ data privacy rights
When it comes to considering staff’s own privacy rights under the GDPR, they have exactly the same rights as all other data subjects. While most of their personal data handled by employers will be through contractual necessity driven by employment law, to get paid or to present an annual review, for example, employees should still be clear on:
- Who the controller of their data is
- The lawful purposes for the processing of their personal data
- Any changes to their contract, company handbook or the processing of their data
- Their company’s data protection policy and data protection notice
- Which third parties have access to their data and what they plan to do with it
- Any intention to transfer their data outside the EU
- Any automated, decision-making such as profiling
- The level of monitoring undertaken by their employee
- Their rights under the GDPR to, for example object or complain
- Their rights to a Subject Access Request (SAR) submission
Do you need help with your staff training for GDPR? Me Learning, in conjunction with specialist data privacy lawyers Clayden Law, has developed a range of accredited online GDPR courses for staff training. Some are sector and role specific, plus there’s a range of expertise level, from core to advanced.
To find out which best suits your staff training needs, click here.
Do you have a question?
Whether it’s a technical question or a sales enquiry, our helpdesk and sales teams will be happy to help.