Acas uses cookies to ensure we give you the best experience and to make the site simpler. Find out more about cookies.

Website URL : The Control Id 'trail' could not be resolved to an actual control., Type=iCMRender.Controls.Value, ID=MainBlock (~/subsite/acas/masterpages/MainPageWide.master)

Paul Beard: GDPR is coming for you!

Thursday 30 November 2017

Paul Beard, Director of Acas South East discusses General Data Protection Regulations

Paul Beard blog Displays a larger version of this image in a new browser windowPaul Beard

Paul Beard is Director of Acas South East, and has dealt with many high profile trades union disputes, settled individual tribunal cases and developed a team of diverse and highly respected advisers/trainers who help businesses across the country. He has trained on data protection in HR for a number of Acas clients and is strangely excited by the new Regulation!


Over the last few weeks, my colleagues and I have observed growing interest from both employers and employees about a number of current topics: Brexit; discrimination and harassment in the workplace; and, perhaps most persistently, the General Data Protection Regulation (the GDPR). Whilst the first two may be topical, the latter poses a known and looming deadline 25 May 2018 for compliance, coupled with an immediate awareness there is much work to be done.

Why is Acas interested in the GDPR? Because the GDPR is not just about data stored in IT systems; it is about people ... suppliers, customers and employees. Much like the current regulations, GDPR applies to information gathered, held, processed and, ultimately, destroyed, throughout the employment life cycle.

The Information Commissioner's Office has provided a checklist 'Preparing for the General Data Protection Regulation' in which it notes compliance with the current Data Protection regime is a sound starting point. However, the GDPR introduces some enhanced and some new obligations, including:

  • A requirement to tell organisations with which you have shared data, if you subsequently become aware that shared data contained inaccuracies;
  • More detailed requirements for 'privacy notices';
  • Upgraded rules about consent to use of information - 'Consent must be freely given, specific, informed and unambiguous';
  • A reduced window in which to respond to Subject Access Requests;
  • Enhanced obligations around the detection, reporting and investigation of data breaches;
  • Embedded 'privacy by design' and specific requirements for 'Privacy Impact Assessments' in certain circumstances; and
  • New rules about international data processing.

The new regime includes substantially higher financial penalties for compliance failures and, in the worst cases, there can be criminal prosecutions.

Through employing people we gather sensitive personal data, from the moment they contact us with a view to an application. We add to that during the course of employment, through promotions, salary and tax information, equality monitoring, management discussions (including about performance, absence and health, and life's personal events), investigations, disciplinary matters, even pensions. One that often slips under the radar is Trades Union membership or activity, yet that too is required to be treated as sensitive personal data.

I attended a GDPR event a couple of weeks ago, where much of the focus was on automated audit of information held and, unsurprisingly, the technical elements of information security. All of this is important, yet when I have led training on data protection in HR, it is more often the physical aspects of protecting information that shine through as potential areas of risk. How often have you politely held open a door for the person following you into a building or office? Does your HR department have sufficiently secure storage? Are all your portable devices encrypted?

So, I am excited [yes, really!] by the buzz that is growing around this topic. The GDPR is not just about information held and processed electronically, servers, systems and firewalls. It is about 'mindset'. It is about re-thinking and educating, so data is protected as the Regulations say 'by design and default'. So due consideration is given to information gathered, consent, legitimate processing, accuracy, rectification and retention/destruction. Many will fear the new penalty regime, but I believe there is more to be gained from focus on respect for the individual's rights over their information. It may even become a driver behind greater efficiency in the gathering and processing of information.

On December 1 I chaired an Acas conference on the GDPR in Cambridge and we are planning another in or near Bristol in January. I look forward to meeting some of you there.

For more on Data Protection, please see:

Add a Comment