We have put together a brief overview of GDPR and how it will affect your health and safety.
What is GDPR?
GDPR stands for The General Data Protection Regulations, which are coming into effect on the 25th May. These regulations are replacing the Data Protection Act 1998, and apply to all organisations who collect or use personal data of individuals who live in the EU.
The GDPR will still be applicable post-Brexit.
‘Personal data’ refers to any data which can identify an individual including names, addresses, ID numbers etc.
A breach of the regulations can result in large fines, and individuals can also ask for compensation if businesses don’t comply.
Does The GDPR regulations affect our organisation?
The GDPR applies to all organisations that process personal data – it is highly likely they will apply your organisation.
The GDPR defines two roles:
1. Data Controller – determines the purposes and means of processing personal data.
2. Data Processor – responsible for processing personal data on behalf of a controller.
You may only fit into one of these roles, however businesses that collect, store and use data using their own systems are both a Controller and a Processor. These two roles are explained further here.
Depending on which role/s you are will determine what you need to do. ICO have created GDPR checklists for both roles in order for you to assess your compliance with the legislation, which you can access here.
How will GDPR affect Health and Safety?
Health and safety systems contain a large amount of personal data about their clients, employees, contractors etc. As well as names, addresses and phone numbers, health and safety systems may contain personal data such as:
Your health and safety data should be integrated into the changes and control measures you put in place across your organisation to manage personal data.
These changes should include:
Gaining a better understanding of the GDPR and your duties under the legislation.
Understanding and documenting your current data processes and demonstrate that they meet compliance requirements.
Creating a register which identifies what types of personal data are being held, which documents they are stored in and how long you need to retain / store the data for.
Identifying which third party companies you store / distribute data on (such as online storage sites, CRMs etc.) and ensure they are GDPR compliant.
Assessing the security of your data storage and whether additional control measures are required to detect and manage breaches.
Undertaking a data protection impact assessment to identify the most effective way to comply with your data protection obligations.
We hope this short overview has proved beneficial, and assured you that this daunting task is manageable with sufficient knowledge and resources. For more information about the GDPR visit the Information Commissioner’s Office (ICO) website.