The European Union will be enforcing its new General Data Protection Regulation (GDPR) as of 25th May 2018. If organisations are not compliant at this point they could face prosecution, so it’s important that small and large business alike start preparing whilst we are still a number of months out.
The new legislation replaces the Data Protection Directive which has become outdated over the last 20 years and is no longer fit for purpose in our data driven world. GDPR aims to further facilitate the free flow of personal data whilst ensuring a high level of data security, and the changes it entails are quite significant for any group that processes or controls personal data.
Furthermore, it is not just organisations based in the EU that GDPR will affect. Any company that controls or processes personal information on data subjects (people) within the EU must comply with the new regulation.
Why is it relevant to Health and Safety?
The Health and Safety department or system holds a wide range of personal data, some of which is deemed as highly sensitive by the new regulation. Employee or non-employee data such as names, job titles, home address, and phone numbers must all be securely stored and data such as health records and witness statements must be guarded even more stringently. So how can you go about managing your Health and Safety data in line with the new GDPR?
Steps to take in advance
Right now, along with understanding the new regulation, it is recommended that HSE leaders should:
- Understand and document the current data processes and demonstrate they meet compliance requirements.
- Document what personal data you hold.
- Assess the security of data stored, personal data in particular.
- Document where data is shared with 3rd party organisations.
- Review and define justifications for holding personal data.
- Categorize the risk level associated with personal data held.
- Commit to data retention policies.
However, achieving these steps may be a challenge in a whirlwind of changes that will undoubtedly have an effect on most companies throughout the Union (and further afield – any company in any country that holds personal data on EU residents must adhere to GDPR or face prosecution if investigated). GDPR will have been on the peripheries of many companies for months, and others will already have instigated new policies to prepare – but it is estimated that 75% of organisations will struggle to implement appropriate procedures before May 25.
As the Health and Safety manager or otherwise you may be seen as a Data Controller or Data Processor by proxy, meaning you should be aware of the legal responsibilities. You can start preparing for the coming GDPR changes with the guide specifically for Health and Safety professionals.
Comparable to the changes of 1974
HSE personnel are well acquainted with new legislation being passed, particularly in the UK, Europe and North America where workplace health and safety regulators have been active for over 40 years. GDPR should be treated with similar importance. However, many health and safety departments are not yet aware of - or have been inadequately briefed on - how far reaching the regulation is, which is less than what would have been expected according to David Hennessy, Workplace Health and Safety law specialist, and Partner at Keoghs LLP.
The irony is that the likely impact of the GDPR has been compared to the Health and Safety at Work Act 1974, and those working in that area will understand the sea change that followed leading to the regulatory regime in which we now operate. Like health and safety, data and cyber security are now priority boardroom issues for business.
It’s intimidating, but setting out bitesize steps and asking the right questions now will hugely benefit your department in not only remaining compliant but also in achieving best practice and leading the way for your peers.
More information on how GDPR will impact Health and Safety management is available in this document which includes recitals, real life examples and considered recommendations.
GDPR affects everyone, and if you are not ‘compliant’ those responsible will be in proverbial hot water regardless of an organisation’s size.
GDPR and Health & Safety: A Guide For HSE Professionals
The HSE department holds a wide range of personal data and will be directly affected by GDPR. This guide will help you prepare by understanding the regulation in the context of Health & Safety, and by knowing what steps you need to take.