In May 2018, the new General Data Protection Regulation (GDPR) comes into force in the European Union. The regulation aims to provide a stronger and more coherent data protection framework and significantly increases both the legal duties around storing personal data and the penalties for getting it wrong.
All organisations, big or small, make extensive use of electronic and non-electronic data in running their business and interacting with others. Whilst this has transformed the way we operate, the use of personal data in this way inevitably brings associated threats.
The likely impact of GDPR has been compared to the introduction of the Health and Safety at Work Act in 1974 and the change that followed, leading to the regulatory regime in which we now operate.
Like health and safety, data and cyber security are now priority issues for businesses.
Like health and safety legislation, the GDPR legislation must not be ignored.
Why is it relevant to Health and Safety?
Whilst all business areas will be affected by the new regulation, Health and Safety is one area that will be significantly impacted.
Your health and safety department or system probably holds a wide range of personal data, some of which is deemed as highly sensitive by the new regulation.
Employee or non-employee data such as names, job titles, home address and phone numbers must all be securely stored and data such as occupational health records and witness statements must be guarded even more stringently.
How to manage Health and Safety data in line with GDPR
Along with understanding the new regulation, there are several steps that Health and Safety managers need to take in advance of the regulation coming into force:
- Understand and document your current data processes and demonstrate they meet compliance requirements.
- Document what personal data you hold.
- Assess the security of data stored, personal data in particular.
- Document where data is shared with 3rd party organisations.
- Review and define justifications for holding personal data.
- Categorise the risk level associated with personal data held.
- Commit to data retention policies.
You need to ensure you treat GDPR seriously
Doing everything you need to do to ensure your health and safety department remains compliant will obviously prevent the risk of prosecution but not only that, it will also help you to achieve best practice and lead the way for your peers.