The European Union is enforcing the new General Data Protection Regulation (GDPR) on 25th May 2018. Organizations not compliant by then could face prosecution - It’s important that businesses of all sizes start preparing months ahead.
The GDPR is replacing the Data Protection Directive, now severely outdated in our data driven world. GDPR aims to continue facilitating the free flow of personal data whilst ensuring a high level of data security, but its changes are significant.
Furthermore, it is not just EU organisations affected. Any company - regardless of location - controlling or processing personal information on data subjects (people) within the EU must comply with the new regulation.
Why is it relevant to Health and Safety?
The Health and Safety system holds a range of personal and highly sensitive data. Employee or non-employee data such as names, job titles, home address, and phone numbers must all be securely stored. Highly sensitive data like health records and witness statements are must be stringently guarded. So, how can you manage your Health and Safety data in line with the new GDPR?
Steps to take in advance
Right now, along with understanding the new regulation, it is recommended that HSE leaders should:
- Understand and document the current data processes and demonstrate they meet compliance requirements.
- Document what personal data you hold.
- Assess the security of data stored, personal data in particular.
- Document where data is shared with 3rd party organisations.
- Review and define justifications for holding personal data.
- Categorize the risk level associated with personal data held.
- Commit to data retention policies.
However, achieving these steps may be a challenge. The GDPR will bring a whirlwind of changes undoubtedly effecting most companies in the EU (and further afield – any company in any country holding personal data on EU residents must adhere to GDPR or face prosecution). GDPR has been on the many companies' peripheries for months, with some already instigating new policies – but an estimated 75% of organisations will struggle to implement appropriate procedures before May 25.
As EHS professional, you may be seen as a Data Controller or Data Processor by proxy, so you should be aware of the legal responsibilities. Start preparing for the coming GDPR changes with this guide specifically for Health and Safety professionals.
Comparable to the changes of 1974
HSE personnel are well acquainted with new legislation replacing decades old regulators, the UK, Europe and North America in particular. The GDPR should be treated with similar importance. However, many health and safety departments are unaware of the GDPR's far-reach. According to David Hennessy, Workplace Health and Safety law specialist, and Partner at Keoghs LLP:
The irony is that the likely impact of the GDPR has been compared to the Health and Safety at Work Act 1974, and those working in that area will understand the sea change that followed leading to the regulatory regime in which we now operate. Like health and safety, data and cyber security are now priority boardroom issues for business.
It’s intimidating, but taking small steps and asking the right questions will keep you compliant, achieve best practice and lead the way.
Read how GDPR will impact Health and Safety management in this document - including recitals, real life examples and considered recommendations.
GDPR affects everyone, and if you are not ‘compliant’, then prepare to be in proverbial hot water, regardless of your organisation’s size.
GDPR and Health & Safety: A Guide For HSE Professionals
The HSE department holds a wide range of personal data and will be directly affected by GDPR. This guide will help you prepare by understanding the regulation in the context of Health & Safety, and by knowing what steps you need to take.