Cast your mind back: 25th May 2018. A year on and a few data protection headlines later, we thought it prime time to share our practical insights on the new regulations…
- Increasing tactical use of subject access requests – it’s almost common practice for employees to request their data wherever they’re case building.
- Charges for excessive subject access requests are beginning to be used – provided you make sure charges are reasonable and you can justify them, they can prove a useful deterrent to having to deal with the request and stop the 30 day response clock ticking until payment is made.
- Increasing trend to move from hard copy people files to on-line solutions to help keep information secure and relevant. Click here for information on our platform – Intelligent Employment Hub.
- Lack of impact assessments when new data processing technology is introduced – start assessing! You’ll able to show the ICO you’ve taken a diligent approach to introducing a system which might ultimately compromise personal data.
- Opt-ins for consent to process data are still not being secured. If you need consent (e.g. to respond to reference requests) ensure you secure written consent. Click here for more information on Intelligent Employment and our up to date employment contracts (containing consent).
- Consents aren’t being stored. Don’t delete them! The ICO recently fined Vote Leave for failure to prove they had consent to send out text messages.
- Sharing data with third parties isn’t being given enough consideration – if you use third party programmes like Survey Monkey, have you informed individuals whose personal data will be made available on that platform that you’re passing their information on? If not, you need to!
- A good privacy notice can be really useful – with one in place, many data protection queries can simply be answered by referring someone back to your privacy notice.
- Most breaches we’ve dealt with haven’t needed to be reported to the ICO. By way of example, sending an email to the wrong person should be recorded as a breach on your log but only needs to be reported to the ICO if the unintended recipient is going to do something with the data beyond deleting it.
- Personal data registers still aren’t widely in place (they’re required if you have over 250 employees). Click here for more information on our data protection toolkit and template register.
Our “Data Protection Toolkit” is still available if you need any help with getting the right documents and processes in place – you can see the list of contents here.