Dave Farrelly from DF Consulting outlines what your employees need to know about GDPR and why everyone in the business needs some level of awareness of data protection.

In January we introduced our monthly series on practical GDPR (General Data Protection Regulation) compliance for your business.

We provided you with an overview of GDPR and the basics behind the legislation, particularly in relation to the seven data management principles and how your business can demonstrate pro-active compliance.

“If you sit on the board of your business, there is also the personal liability exposure should it be demonstrated that no reasonable effort was made to introduce GDPR compliance”

This month we look at what your employees need to know about GDPR and why it is so important to ensure everyone in your business has some level of awareness on personal data protection and GDPR.

Whether you are a small coffee shop owner, a medium-sized retailer or a large insurance broker one thing you will all have in common is that you are processing individual’s personal data. GDPR does not just apply to the tech and social media giants or to large financial services organisations, it applies to any business that is processing personal data and that includes you!

Not doing anything about GDPR compliance can introduce significant business risk. Think about the reputational damage to your business in the event of a data breach or a data subject complaint to the Data Protection Commissioner.  There is also the financial impact in the event of a fine or penalty being imposed on your business for a data breach or non-compliance situation.

If you sit on the board of your business, there is also the personal liability exposure should it be demonstrated that no reasonable effort was made to introduce GDPR compliance.

GDPR compliance is the responsibility of everyone in your business. So, what do your employees need to know about GDPR in order to reduce the risks highlighted above?

As you think about your business and the level of GDPR compliance that you need to have in place, ask yourself the following seven questions:

1. Do my employees fully understand what personal data they are processing as they carry out their job roles and day-to-day responsibilities?

Do you maintain a “Data Processing Log” to capture and record all personal data that is being processed in your business?

Have you looked at each of your departments to understand what personal data individuals are responsible for and challenged the use of that personal data?

Do team members know the difference between ‘ordinary’ personal data such as a mobile telephone number and “special categories” of personal data such as medical records?  

2. How familiar are my employees with the legislation, particularly the 7 Data Management Principles?

The level of required familiarity with the 7 Data Management Principles will vary depending on people’s job roles.

For anyone responsible for acquiring and processing personal data a reasonable level of knowledge is recommended.

Ensure your team always thinks about the “purpose” for having the personal data in the first place and the legal basis (or lawful processing condition) to justify the processing.

3. Do my employees know what to do in the event of a data breach?

Not only do your employees need to know what to do in the event of a data breach they also need to know what constitutes a data breach.

More than 70pc of data breaches are non-malicious with individuals making simple or silly mistakes or not being aware of the impact of their actions.

The loss of an unencrypted laptop, for example, could have catastrophic impact on your business should personal data be exposed.

Do your employees know what to do in the event of this happening and who they should immediately report it too?

4. Do my employees know what do if they receive a ‘Subject Access Request’ or complaint from a data subject?

There has been a significant increase in “Subject Access Requests” since the introduction of GDPR.

Do your employees know what to do in the event of receiving such a request? Do they know all data subject rights and how they pertain to your business? 

5. Are my employees aware of the Data Protection Impact Assessment (DPIA) and when it is required?

GDPR introduced the concept of a DPIA in the event of the of new or significant alteration to processing of personal data.

Are you employees aware of this requirement? Have you introduced a new payroll or HR system where a DPIA may have been required? 

6. Does everyone know what to do should the Data Protection Commissioner contact the business in the event of an investigation or spot-check?

Businesses are already receiving requests from the Data Protection Commission as part of on-going investigations or routine spot-checks.

Does your team know what to do in the event of correspondence from the Data Protection Commissioner?

Who is responsible for managing and processing such correspondence? Does your business have a Data Protection or Privacy Officer?  Does it need one?

7. Are my employees familiar with key data protection policies and procedures?  

There are several key policies and procedures that your business needs to have in place and that your employees need to be aware of.

Do you have a “Data Breach” and “Subject Access Request” policy to name but a few? Are the procedures for on-boarding new employees and customers clear and fully understood by your team? 

Man with glasses and a blue jumper.

Dave Farrelly is a seasoned GDPR consultant offering businesses practical guidance, training and solutions to GDPR compliance. You can see more details on what Dave and his associates can support your business with at http://www.dfconsulting.ie/.   Dave can be contacted directly at dave@dfconsulting.ie.  

Published: 19 February, 2020

Recommended