The advent of the EU’s General Data Protection Regulation (GDPR) has resulted in a spate of emails notifying policy changes, asking you to update your opt-in or subscription settings etc.
However, many people may be surprised to discover that the GDPR is not just about online security and protecting information. The Regulation, which came into force in the European Union on 25 May 2017, superseding the previous European Data Act of 1988, applies to any personal data that can be used to identify a person, including name, ID, phone number etc. The Regulation provides for sizable fines against companies in breach and some of the first to suffer include tech giants Google, Facebook, Instagram, and WhatsApp, which are facing lawsuits for up to $9.3 billion in this connection.
Since an organization’s health and safety function deals with the personal information of employees, clients, contractors and even visitors, the GDPR has a significant impact on it. Any health and safety professional is likely to have dealt with some of the following areas, all likely to contain sensitive personal data:
- Workplace accident or incident logs, potentially including witness statements
- Health and safety training records
- Risk evaluations, both quantitative and qualitative
- Databases of personal accreditations
- Workplace health assessments and pre-employment screening tests
- Insurance claims for workplace accidents
- Complaints or audits in the area of health or safety.
In the near future, occupational safety and health teams may need to make changes to adapt to the regulation as much of the personal data they handle will be subject to more restrictive controls because of its sensitive nature. Adapting to the regulation will probably require an approach ranging from company-wide HSE management systems to standards and policies governing safety, health, quality and environmental aspects of the workplace. Safety practitioners will have to liaise with quality staff to make sure that the requirements are built into the companies’ systems and activities.
Below is a checklist of steps that need to be taken with a view to adapting to the GDPR:
- Perform a self-assessment by running through the checklists for data controllers and processors. This should give a broad picture of how well you comply with the new data protection legislation.
- Examine your procedures to identify those that involve personal data or which result in personal data being shared with third parties.
- Examine whether personal data is really necessary in those cases and consider any gaps in your policies. This will provide a foundation for a detailed examination of policies, and for changing forms and data flows if necessary.
- Examine which staff members have access to specific document types. This can be noted within the procedure or in a separate log.
- If your organization conducts regular corporate risk assessments, you should use the same approach for personal data protection risk (e.g. complaints by former employees over inappropriate use or sharing of personal data).
- If data is stored in hard copy format, ascertain where it is stored and who has access to it.
- Establish a data retention policy if you do not already have one, and make sure it figures prominently among your company’s policies.
As part of the process of complying with the regulation, it is likely that you will have to address most if not all of the points listed above. An ideal approach would be to ensure that any new procedures or policies developed in the future take account of data protection requirements. Responsibility for this lies mainly with health and safety managers and quality professionals.
Even companies that already have data governance measures in place may have to perform extra work to achieve a good level of compliance. Regardless, now is a good opportunity to develop policies and implement tools and applications so as to ensure that your organization is compliant from here on.