The General Data Protection Regulations, (GDPR) comes into effect on the 25th May, and most businesses will by now have heard about it and hopefully started putting measures into place to ensure compliance. These regulations are replacing the Data Protection Act 1998 and apply to all organisations who collect or use personal data of any individuals living in the EU.
‘Personal data’ refers to any data which can identify an individual including names, addresses, ID numbers, mobile numbers etc. A breach of the regulations could result in large fines, also individuals will be able to ask for compensation if businesses don’t comply.
Health and safety systems often contain a large amount of personal data about their clients, employees, contractors etc. As well as names, addresses and phone numbers, health and safety systems may contain personal data such as:
- Records of accidents or incidents in the workplace
- Financial records for accreditations / pre-qualification tenders.
- Training records.
- Risk assessments containing sensitive information such as physical or mental health.
- Confidential data such as witness statements following an incident.
Health and safety data contained within your systems should be integrated into the changes and control measures you put in place across your organisation to manage personal data.
These changes should include:
- Gaining a better understanding of the GDPR and your duties under the legislation.
- Understanding and documenting your current data processes and demonstrate that they meet compliance requirements.
- Creating a register which identifies what types of personal data are being held, which documents they are stored in and how long you need to keep the data for.
- Assessing the security of your data storage and whether additional control measures are required to detect and manage potential breaches.
- You may also need to undertake a data protection impact assessment to identify the most effective way to comply with your data protection obligations.