GDPR individual rights – Is the cost to business just about to explode?

A photo of stacked coins
Photo by Ibrahim Rifath.

The UK government’s job retention scheme has protected 7.5 million workers and almost 1 million businesses. From the start of August 2020, employers will be asked to pay a percentage towards the salaries of their furloughed staff. Will businesses be able to re-employ all their furloughed workers or will we see a significant number of them being made redundant?

Employees who lose their jobs will invariably feel hard done by. Some of their colleagues have retained their jobs whilst they have lost theirs. They become disgruntled. They want to know why. A perceived solution to the why is for the employee to execute their GDPR individual rights through demanding to see what personal data is held and how it has been used. If this is the case it could lead to a dramatic increase in Data Subject Access Requests (DSAR) that overwhelm data compliance teams and increase dramatically the cost to business.

In preparation for the potential increased demand, some questions that businesses should be asking themselves:

  1. Is your DSAR process manual? If so, do you have sufficient resources to satisfy the increase in demand and still comply with the 30-day response time? Can you make your DSAR process automatic?
  2. Do you have processes that can easily access personal data? Paper records should be stored electronically and indexed. Centralise record keeping. All voice recordings should be indexed. Whilst this should be standard practice since May 2018 (GDPR start date), what about paper records of an employee starting 30 years ago?
  3. Do your Records of Processing (ROPs) have the information that states where personal data is stored and processed?
  4. Do you really know who you are sharing your personal data with? An individual has the right to know who you have shared their personal data with. Some third parties are obvious; travel agent for business travel; HMRC for PAYE and NI. Others are less obvious. The data that you collect in web site cookies is personal data. Do you share this data with Google? Business WhatsApp groups are highly likely to share data with Facebook. Have you included all the third parties you share your personal data with on your Privacy Notices? Have you contracted with these third parties correctly and used the correct contracting methods, such as specific data processing agreements?
  5. Do you keep consent records? Can you demonstrate that consent for personal data collection was given freely, the date that it was given and the purpose that it was given. Remember this also includes Web Site Cookies. How easy is it to remove personal data if consent is revoked, Is there a revocation process?
  6. Will your third parties comply with the DSAR? Can you report/remove/alter personal data that your business has shared with the likes of Google, Facebook, and Twitter?

Our advice is – Know what personal data you hold, where it is held, who it is shared with, and if necessary, has the individual given consent for use. Simple advice, tricky to implement.

About Us: Tacita are GDPR compliance experts. Tacita help clients achieve and maintain GDPR compliance. Get in touch to explore our range of GDPR services including the Tacita GDPR Audit, GDPR Consultant Service and the GDPR Toolkit.

Share this article: