The General Data Protection Regulation (GDPR) is a regulation that specifies how to process and use the personal data of citizens in the European Union (EU) and companies holding the data of EU citizens. Because health and safety departments oftentimes hold a wide range of personal data including SIN numbers, home addresses, and phone numbers health and safety managers may be deemed responsible for data protection. Protections for personal information are usually handled by data controllers; however, health and safety managers of data may be considered a data controller by proxy. This article will give your H&S department a simple overview of how GDPR may affect their operations and responsibilities.
What are the Goals of GDPR?
GDPR focuses on protecting the human rights of data subjects and their right to privacy. Compliance to GDPR allows:
- More control over personal data.
- A free flow of personal data while ensuring a high level of security.
- Enforced consent to collect and process individuals’ data.
- Greater management and reduction of data breaches and misuse of data.
The GDPR deadline was May 25, 2018 – which means your operations are already expected to be in compliance. You will need processes in place to meet these 4 goals to protect your H&S department from violations and possible fines.
Collecting Personal Data
The GDPR defines “personal data” as information relating to a person who can be identified through an identifier such as a name, location, or a combination of identifiers (genetic, physical, cultural). Data controllers and health and safety managers working as data controllers under GDPR must have a systematic process to:
- Provide information you have on an individual to that individual upon request.
- Delete personal data.
- Ask for consent to collect and/or use data.
Lastly, clear and simple privacy notices must also be provided to explain data collection. GDPR aims to manage data collected from and about an individual to determine the consent, data storage, the contents of the data, who owns the data, which data can be collected (and the circumstances it can be obtained), who can or should have access to the data, and who is currently accessing the data.
Action items for Health & Safety:
- Make it known via corporate communication or employee contracts that data can be requested or deleted per GDPR guidelines.
- Get signed consent / add consent into employee contracts to collect personal data.
Who does GDPR Affect?
The scope of GDPR varies. All EU based organizations are protected by GDPR; however, non-EU based organizations are only subject to GDPR when dealing with EU citizens and non-EU citizens physically in the European Union. Additionally, the data of deceased EU citizens is not protected under GDPR. This table below shows other instances where you may be subject to GDPR:
GDPR demands a higher level of protection for certain personal information. This special category data includes:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic and biometric data
- Gene sequence
- Facial recognition
- Retina Scans
- Sexual orientation
Health & Safety departments will likely not collect all the data mentioned, but there are types of information like Union Membership and Health that could be processed by your operations. All processing of personal data must only occur if there is a lawful reason for using the information. Any company that needs to process special category data above must check Article 9 of the GDPR to examine the requirements.
Personal data dealing with criminal convictions and offenses are also sensitive and managed separately under GDPR protections outlined in Article 10. Data controllers must ensure that additional protections are put in place to ensure that information is appropriately safeguarded if special category data is collected, stored, processed, or transmitted.
Action Items for Heath & Safety:
- Assess your employee records against the GDPR applicability table to determine if you have any staff protected by the new GDPR standards. Many businesses in North America will have some staff, even if they don’t realize it – for example, a sales person working in EU locations.
- Check which data fields you collect for Health & Safety tracking and reporting. Is any of it specially protected? Is all of it strictly necessary? Anything you don’t require is outside your lawful jurisdiction to collect and could pose a GDPR risk.
GDPR aims to reduce personal data breaches, fraud, identity theft, misappropriation of data, and blackmail for individuals. The larger data breaches in the past year stem from a user who had access to files they shouldn’t have been able to see in the first place. These issues are typically handed over to a data controller who is responsible for determining what data is to be collected and how it is to be processed. The person working with the data (the “data processor”) processes personal data on behalf of the controller.
For many EH&S departments, the Health & Safety team becomes the responsible persons within the organization for processing personal data under the watch of the H&S Manager acting as Data Controller. This represents a massive shift in the roles of H&S specialists within the manufacturing industry.
For full GDPR compliance all data processors are required to:
- Only process personal data as instructed by the controller and inform the controller if it believes said instruction infringes on the GDPR (28.3). A data processor must use data for purposes outlined by the data controller.
- Obtain written permission from the controller before hiring a subcontractor (28.2) and assume full liability for failures of subcontractors to meet the GDPR (28.4).
- Delete or return all personal data to the controller on request, at the end of service contract (28.3.g).
- Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3.h).
- Take sensible steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing (32.1).
- Notify data controllers without expeditiously upon learning of data breaches (33.2).
- Restrict personal data transfer to a third country only if legal safeguards are obtained (46).
Non-compliance to GDPR regulations can result in a severe data breach harming the privacy of citizens and large fines. The consequences can include warnings, reprimands, corrective orders, smaller fines, and the maximum fine can have companies paying up to 4% of the annual global turnover or 20 million euros (whichever is greater).
How to Take Steps Towards H&S GDPR Compliance
The key to GDPR compliance is having a plan in place to handle and secure employee, client, and supplier data. While this might sound like a large endeavor, there are a few straightforward action items your H&S department can work on today that will move you closer to complete GDPR compliance. ERA’s Health & Safety expert, Dr. Ehsan Maghsoudi Ph.D. outlines the strategy for your Health & Safety team in a free webinar. Here’s a sample of what he will cover:
- 8 steps your H&S department needs to take quickly, including data centralization and digital record management best practices.
- The changing role of H&S managers in the realm of privacy legislation.
- Types of data you should and shouldn’t be collecting.
Getting access to the free webinar is simple and fast. If you’re ready to learn more about GDPR and its vital role in Health & Safety compliance, click the button below.
September 12, 2018