Employee Benefits poll: Less than one-fifth (15%) of employer respondents are currently looking at the impact of the General Data Protection Regulation (GDPR) on benefits and pensions.
A poll of www.employeebenefits.co.uk readers, which received 39 responses, also found that 31% are examining their staff data protection policies in light of the regulation, which comes into effect on 25 May 2018.
Two-fifths (41%) of respondents are aware of the implementation of the GDPR next year but are not yet taking any action related to this. Just 13% of respondents are not aware of it.
The GDPR aims to protect citizens of the European Union (EU) from privacy and data breaches. This includes mandatory notifications of data breaches within a 72-hour period where a breach is likely to result in a risk for the rights and freedoms of an individual. Subjects will also have the right to obtain confirmation as to whether their personal data is being processed, where and for what purpose.
The legislation applies to organisations within the EU, as well as organisations that are outside of the EU but offer goods or services to EU data subjects or that monitor the behaviour of EU data subjects. It also applies to organisations that hold or process the personal data of subjects residing in the EU.
Penalties for non-compliance include a fine of up to 4% of annual global turnover or €20 million.
The UK's decision to leave the EU is not expected to affect the commencement of the GDPR in 2018.
Helen Hall, legal director in the employment and pensions team at law firm DLA Piper, said: “Once the GDPR is in force, the regulator will require organisations to demonstrate how they're complying. This is not a tick-box exercise, the legislation requires a change of approach and culture, and it requires privacy to be woven into the heart of the employment life cycle. Preparation will entail extensive data mapping, gap analysis, and documentation.
“The first challenge is where this fits in an organisation: lots of organisations don’t have data privacy specialists and even if they do they don’t have the employment law understanding needed to assess legitimate use of HR data. It’s not solely legal or compliance but not purely HR either. Organisations need to be joined up in their approach in order to address the different facets to the issue.
"Another key challenge is budget: lots of HR departments are aware of this issue but don’t have the budget to take it forward. Equally, there are situations where awareness within HR departments is still low or they don’t yet appreciate the potentially significant practical impact on day-to-day HR operations.”