[BreachExchange] 10 everyday workplace activities that will totally change under the GDPR

[Audrey McNeil]

https://www.sage.com/en-gb/blog/workplace-activities-gdpr/

On 25 May 2018, the General Data Protection Regulation (GDPR) comes into
effect across the European Union, regulating how businesses should handle
personal data. Businesses large and small need to get ready for this change.

However, research in March from industry analysts IDC found that fewer than
half of European small and medium businesses have taken steps to get ready
for the new regulations. So with just 30 short days to go, we have
identified 10 everyday workplace activities that ought to be considered
more carefully from 25 May onwards.

1. Celebrating a colleague’s birthday

An individual’s date of birth is their own personal data. Under the GDPR,
it cannot be shared without express consent by the individual. So it is
worth checking that you have everyone’s permission to host a shared
calendar of birthdays in the office.

2. Sending office Christmas cards

If you were planning to send Christmas cards to your customers, stop right
there. If that were to include someone’s home address then that is personal
data so once again not permissible under the GDPR, unless you have consent
of the individuals in advance.

If you do not have express consent to contact each customer, a different
legitimate basis must be established for each business communication you
send. So it may be for the courts to decide the business legitimacy of
wishing Christmas greetings.

3. Sharing a colleague’s baby photos

Think twice before sharing baby photos with international colleagues. All
those adorable new arrivals may have to remain unseen by colleagues far
away.

Personal data can only be transferred internationally if the country has
been designated by the EU as providing an adequate level of data protection
or by complying with an approved certification mechanism such as the EU-US
Privacy Shield.

Of course, if the sharing of a baby photo is deemed purely personal
activity, then it can be argued to fall outside of the scope of the GDPR.

4. Catering for allergies at work events

Do you have colleagues with nut allergies? Or perhaps they have kosher or
halal dietary requirements? Afraid these are all classed as personal data.
So before you pick up the phone to a restaurant or caterer, make sure you
have your colleagues’ permission to share that information with others.

5. Forwarding on a candidate’s CV for a second opinion

Not sure about a potential candidate for a role in your organisation? Tough
luck – once again that will be personal data. Of course, you could argue
that it would be reasonable to share a CV of an applicant with others in
the company on a need to know basis.

However, an easy way to get a second view of a CV is to anonymise it,
removing name, address, phone number and any other identifiable
information. This is also becoming a growing trend among businesses as a
part of an approach to remove gender and race bias in recruitment.

6. Ticking the box to join a mailing list

Does your website registration form have a pre-ticked box for customers to
receive marketing information from third parties? You might want to rethink
that come 26 May.

Under the GDPR, silence, pre-ticked boxes and inactivity will no longer
suffice as consent. You may also want to read through your privacy terms
online, as a request by a business for consent to use personal information
must be intelligible and in clear, plain language.

7. Talking politics in the office

Political opinions are part of a special category of personal information –
sensitive personal data – and organisations cannot record or process data
about this type of information.

So, if you were planning a company webcast about a forthcoming election, it
may be best practice for a speaker to preface any comments with the phrase
“I expressly consent to share this information about my political opinions”.

8. Calling in sick

Health information is also part of that special category of personal
information.

If you have to call in sick one morning to discuss a particular medical
condition, you can’t then return to your sickbed and hope that the message
will be passed on unless you have consented for that information to be
shared with every person who needs to be told.

Alternatively, an individual can personally share that information
themselves, which means that sore throat may get a lot worse with all those
calls to make to ensure everyone knows your whereabouts.

9. Data auditing

Under the GDPR, an organisation needs to have a designated person
responsible for data protection matters and in some cases, a company may
need to formally appoint a Data Protection Officer before carrying out any
large-scale processing personal data.

An individual appointed would be responsible for raising awareness of data
protection regulations in an organisation, training staff and managing
audits of data processes.

10. Managing a data breach

If your business suffers a data hack, you’ve got to think quickly about
telling people about it. Under the GDPR, if personal data is accidentally
or unlawfully lost, destroyed, altered or damaged, it needs to be reported
to the supervisory authority within three days.

And it’s not just the relevant authority that needs to be notified, all
individuals impacted need to be informed too if it is likely to result in a
high risk leading to financial loss, identity theft or fraud.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180425/6671f338/attachment.html>