GDPR Hub for Health & Safety Professionals

The new General Data Protection Regulation (GDPR) comes into force May 25th, and the Occupational Health & Safety department will be directly affected. GDPR affects all organizations around the world that process data about EU-based individuals. Here are some helpful resources for OHS professionals.

GDPR Hub for Health & Safety Professionals

The new General Data Protection Regulation (GDPR) comes into force May 25th, and the Occupational Health & Safety department will be directly affected. GDPR affects all organizations around the world that process data about EU-based individuals. Here are some helpful resources for OHS professionals.

What is GDPR?

The new legislation replaces the Data Protection Directive which, given the pace of change over the last 20 years, is widely accepted as no longer fit for purpose in a data driven world. The following sentence within the official documentation issued by the European Union defines what the new legislation is looking to achieve.

“Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.”

Much of what is required under GDPR is data protection best practice. The difference is that now data subjects (people) have more legal rights around knowing what information you hold on them, how you manage it, and how it is deleted (“the right to be forgotten”). Furthermore, GDPR introduces accountability and regulators may now levy noncompliance fines of up to 4% of a company’s global turnover.

GDPR applies to any organization that processes personal information about EU nationals. If your company is headquartered in a non-EU state such as the USA, but captures information about EU citizens (as is the case for most online businesses), you are still subject to GDPR rules.

5 GDPR Q&As - video

Want a quick overview? Watch our short, 2-minute video with Pro-Sapien Managing Director Murray Ferguson, who answers five important questions from health and safety professionals.

Questions answered:

  • Why is the new GDPR coming in?
  • How will GDPR affect the way OHS professionals work?
  • What about when filling in forms with personal data?
  • Does GDPR change policy around OHS data retention?
  • Will it be difficult for OHS to meet GDPR compliance standards?

How will GDPR affect health and safety?

It should be noted that GDPR does not prohibit the collection of personal data. You can continue to capture information about injuries, illnesses or other incidents, which you are required to by law. However, personal or sensitive data that is collected in the process must be protected and handled appropriately. Hasn't that always been the case? Yes, but GDPR formalizes into law what was previously just best practice.

The OHS data processes personal information such as names; job titles; and contact details; and processes sensitive information such as witness statements and health records. All of this data must be;

  • Justified - why are you collecting it?
  • Categorized by security level - who can see it?
  • Easily extracted from your system - can it be exported in a table format for data subjects to view?
  • Retained only for a required period of time - is there other local legislation mandating a minimum retention period?

Justifications, categorizations, export, and retention may be different in the OHS department than other areas of the business. You must have a policy outlining your intentions with personal data that you process, and committing to handling it responsibly.

Getting started

Complying with GDPR can seem like a mammoth task, and one that only 25% of companies are expecting to achieve before May 25th.

Due to the sheer volume of changes that need to be made, it is likely that your organization has a designated working team or individuals that can help you get compliant in the OHS department. However, if you're struggling to get your head around it all, we suggest asking yourself the following questions in order to get started.

  1. Do you understand your current data processes? Can you demonstrate they meet compliance requirements?
  2. What personal data does the Health and Safety department hold?
  3. What security is in place for the personal and sensitive data stored?
  4. What are your justifications for holding personal data?
  5. What are your personal data retention policies?

This will give you a good basis to work with when discovering the gaps between where you are and where you need to be.

Online resources

There are vast amounts of resources online about GDPR - but not many for OHS professionals. To save you crawling the internet for answers, here are some online resources that we have produced or found particularly helpful.

Compliance by May 25th

May 25, 2018 is the day that GDPR becomes law for any organization processing information about individuals in the EU. It is predicted that three quarters of companies affected will not be fully compliant by then; however, if you can demonstrate that you are taking the necessary steps towards compliance, data protection law enforcement bodies like the ICO (UK) will take that into account:

"It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick."

Complying with GDPR requires a shift in attitude towards data protection. If you've heard lots of conflicting information about what GDPR means for you, check out the ICO's helpful GDPRmyths series.

Download our guide

For information on how you can become compliant with GDPR, download our report: GDPR and Health & Safety: A Guide for HSE Professionals. It's a good place to get started and is something you can share with your colleagues offline.

GDPR and Health & Safety: A Guide For HSE Professionals

We will fulfil your Content Download via email. Find more information about how we process your data in our Privacy Policy.

DISCLAIMER: The purpose of this page is to raise awareness of the issues surrounding GDPR and to provide assistance to those seeking information regarding compliance. Its author is not a legal professional and this page should not be construed as providing professional advice.

Latest from the EHS Blog