After what seems like a week of receiving emails asking you to update your policy settings, opt-in to communications from your favourite online store or even update your basic contact information with your local network provider, the letters GDPR probably seems like the last thing you want to hear about right now!
As a result, when speaking to colleagues around the office, everyone seems to believe that this is only to do with basic information online and subscription information updates. The fact of the matter is, online security and information protection is only a small element of what the General Data Protection Regulation (GDPR) is all about.
The regulations came into effect on the 25th of May, 2017 to replace the previous European Data Protection Act of 1998. In a nutshell, this refers to any personal data that can identify an individual by name, phone number, company ID or any other forms of identification. Any breach of this privacy can result in very hefty fines to organizations that do not comply. Major tech players such as Google, Facebook, Instagram, and WhatsApp have been some of the first organizations to suffer early consequences of the new regulation with lawsuits in the region of $9.3 Billion already been filed against them.
The regulation also has a strong implication on the health and safety side of the business, with general operations within any organizations likely to contain details of clients, employees, contractors, and visitors. As a person working within an HSE department, you will at some stage deal with the following areas which are likely to contain sensitive and private information:
· Health and Safety Training records
· Records of accidents or incidents at the workplace (Including witness statements)
· Qualitative and quantitative risk assessments which could include sensitive information
· Records of personnel accreditations
· Occupational health assessments and pre-work health screening
· Possible insurance claims made against accidents at the workplace
· Health and safety complaints or audits
It is likely that some occupational health and safety teams will at some point in the near future require changes to be made as a result of the new regulations to ensure personal responsibly handle personal data, as much of this information will be subject to additional controls due to its sensitive nature.
Integrating the new regulations will likely best be done by looking at company HSE management systems as well as standards, policies, and procedure that govern quality, health, safety and environmental operations at the workplace. Safety professionals will need to come together with quality personnel and ensure such requirements are embedded within the fabric of the company’s activities.
The following highlights some of the actions to be taken as well as changes that need to be made in order to work in accordance to the new regulations:
1. Take a self-assessment audit by going through the “controllers” and “processors” checklists. This will give you a high-level understanding of how to assess your level of compliance with data protection legislation. This can be done online by following this link
2. Review your list of procedures to gain an understanding of which procedures may set requirements for personal data or where the data is distributed to third-party companies.
3. Assess where having personal data is really required and address potential shortcomings in your policies. You can then begin looking into the details of those policies and set plans for making changes to forms and flow charts where required.
4. Control personnel who have access to certain documents. This can be highlighted within the procedure or through a separate register.
5. Organizations that commonly conduct corporate risk assessments should use the same methodology to clarify the risk level that comes from a breach of personal data (Example: Ex-Employee complaints as a result of individual data being inappropriately used or shared)
6. If data is kept in hard copy, determine where it is stored and who has access to these storage areas.
7. If not set already, set data retention policies and ensure this is highlighted in your company policies.
To ensure your company is complying with such regulations, at one point or another you will have to conform to the majority of the above points. The best starting point would probably be to ensure any new policies or procedure being developed from this point forward do take data protection regulations into consideration. It is mostly the responsibility of health and safety managers as well as quality professionals to ensure this process is fully managed.
Even for organizations that have a culture of good data governance some additional work may be involved to achieve the acceptable level of compliance. For those that don’t have that culture, it’s a perfect opportunity to invest in policy development, tools and applications to ensure best practices are set for their operations.