Q: We are a successful business about to open two new offices and are looking to build our own intranet-based personnel system with a virtual two-way access platform. As there will be personal information stored and shared on it, what should we be aware of regarding data protection?
A: In mid-2018 a new General Data Protection Regulation (GDPR) will be coming into force. The main difference between the GDPR and the current Data Protection Act will be the requirement to put into place procedures that will comply with new transparency and individuals’ rights provisions. The emphasis will be on the way data is kept, shared and ultimately removed. If you do not have a data controller now would be a good time to appoint one as there is provision for some hefty turnover-based fines for non-compliance.
Carry out an information audit and document all the personal data you hold, where it came from and who you share it with. This includes information on external individual customers or clients as well as staff. As you will be network sharing it will be essential to store accurate personal data, so incorporate a system procedure to ensure inaccuracies can be put right and communicated globally.
Currently when collecting personal data you must inform people, usually through a privacy notice, of your identity and how you intend to use their data. Under the GDPR you will also have to explain your legal basis for processing the data, the data retention period and the person’s right to complain to the Information Commissioner’s Office if they are unhappy with the way you are handling their data.
Carrying out a complete review of all your company’s documentation, data and information sharing procedures now would give you time to run your proposed provisions past your legal team and iron out any potential problems.