10 Everyday Workplace Activities That Will Totally Change Under the GDPR

Adam Prince

VP of Product Management at Sage

Adam is VP of Product Management at Sage, supporting enterprise level global development, sales and marketing teams with compliance, localisation and cloud services. Having joined Sage in 2016 after over two decades in the software industry, Adam is an expert in global compliance requirements for business, accounting and security - including GDPR. Adam is also a Sage Foundation Ambassador, committed to taking action to build sustainable social, economic and entrepreneurial opportunities in Sages’ local communities.

Views 1086

10 Everyday Workplace Activities That Will Totally Change Under the GDPR

14.05.2018 12:30 pm

On 25th May 2018, the GDPR (General Data Protection Regulation) comes into effect across the EU, regulating how businesses should handle personal data. Businesses large and small need to get ready for this change. However, research from industry analysts IDC last month found that less than half of European Small & Medium Businesses have taken steps to get ready for the new regulations. So with just 30 short days to go, Sage has identified 10 everyday workplace activities that ought to be considered more carefully from May 25th onwards.

1. Celebrating a colleague’s birthday

An individual’s date of birth is their own personal data. Under the GDPR, unless shared in a purely personal or household activity, it should not be shared without express consent by the individual. So it is worth checking that you have everyone’s permission to host a shared calendar of birthdays in the office.

2. Sending office Christmas cards

If you were planning to send Christmas cards to your customers, stop right there. If that were to include someone’s home address then that is personal data so once again not necessarily permissible under the GDPR, unless you have consent of the individuals in advance. If you do not have express consent to contact each customer, a different legitimate basis must be established for each business communication you send.

3. Sharing a colleague’s baby photos

Think twice before sharing baby photos with international colleagues. All those adorable new arrivals may have to remain unseen by colleagues far away. Personal data can only be transferred internationally if the country has been designated by the EU as providing an adequate level of data protection, by complying with an approved certification mechanism such as the EU-US Privacy Shield or by obtaining the consent of the individual concerned. Of course, if the sharing of a baby photo is deemed a purely personal or household activity, then it can be argued to fall outside of the scope of the GDPR.

4. Catering for allergies at work events

Do you have colleagues with nut allergies? Or perhaps they have kosher or halal dietary requirements? Afraid these are all classed as personal data. So before you pick up the phone to a restaurant or caterer, make sure you have your colleague’s permission to share that information with others.

5. Forwarding on a candidate’s CV for a second opinion

Not sure about a potential candidate for a role in your organisation? Tough luck – once again that will be personal data and cannot be shared with another colleague unless the sharing of their CV is with someone relevant to that role. However, an easy way to get a second view of a CV is to anonymise it, removing name, address, phone number and any other identifiable information. This is also becoming a growing trend among businesses as a part of an approach to remove gender and race bias in recruitment.

6. Ticking the box to join a mailing list

Does your website registration form have a pre-ticked box for customers to receive marketing information from third parties? You might want to rethink that come 25th March. Under the GDPR, silence, pre-ticked boxes and inactivity will no longer suffice as consent. You may also want to read through your privacy terms online, as a request by a business for consent to use personal information must be intelligible and in clear, plain language.

7. Talking politics in the office

Political opinions are part of a special category of personal information – sensitive personal data - and organisations cannot record or process data about this type of information unless it is absolutely necessary or they have obtained the explicit consent of the individual concerned. So, that email chain about the forthcoming elections starts to look very dangerous, and should anyone forward on that email chain containing people’s political opinions, that would may fall foul of the GDPR.

8. Calling in sick

Health information is also part of that special category of personal information. So, if you have to call in sick one morning because of a specified medical condition, then only the fact that you are unwell should be conveyed to others who need to know your whereabouts, rather than specifying the medical condition.

9. Data auditing

Under the GDPR, an organisation should have a designated person responsible for data protection matters and in some cases, a company may need to formally appoint a Data Protection Officer before carrying out any large-scale processing personal data. An individual appointed would be responsible for raising awareness of data protection regulations in an organisation, training staff and managing audits of data processes.

10. Managing a data breach

If your business suffers a data hack, you’ve got to think quickly about telling people about it. Under the GDPR, if personal data is accidentally or unlawfully lost, destroyed, altered or damaged, it needs to be reported to the supervisory authority within 3 days. And it’s not just the relevant authority that needs to be notified, all individuals impacted need to be informed too if it is likely to result in a high risk leading to financial loss, identity theft or fraud.

 

oliviasmithj624_2852's picture

Olivia Smith 23.05.2018 06:48 am

Looking for packers and movers in Bangalore can be very complex and complex process for you. You may have to analyze expenses and expenses of different companies to decide on the one. It may eat your initiatives as well as well as you will have to get in touch with several companies to choose a qualified choice. More info visit: https://www.assureshifting.in/packers-and-movers-bangalore/

Latest blogs

Paul Sweetingham DXC Technology

Eight Must-haves When Choosing a Cards and Payments Services Provide

There are so many factors to consider when a business starts looking for a cards and payment services provider.  The new kids on the block, fintechs and start-ups, are challenging the norm, bringing technological customer expectations with them – Read more »

Mark Hinds Polymatica

Increasing Data Return on Investment: Why It’s Time to Make the Data Vault More Accessible

As in almost every industry, those in the financial services sector hold swathes of data about every aspect of their organisation. In an ideal world, all departments within a  business should have easy access to this data to help guide intelligent Read more »

Kulpreet Singh UiPath

Accelerating Finance and Accounting Transformation with RPA

Robotic Process Automation has the power to streamline processes, empower staff and increase customer satisfaction says Kulpreet Singh, Managing Director - EMEA, UiPath Data is all around us and finance and accounting departments are well versed in Read more »

Lu Zurawski ACI Worldwide

Lu Zurawski comments on ATM hackers steal $10m across 28 countries in audacious bank heist

ATMs rely on operating systems just like domestic computers, so it is common for ATMs to use versions of Windows or Linux. And just like with home PCs, owners need to keep their systems up to date with the latest releases of security software Read more »

Eran Noam Shield FC

Capturing Communications isn’t Compliance

It is six months since the Markets in Financial Instruments Directive (Mifid II) came in to force and two months since the General Data Protection Regulation (GDPR), which means you are probably feeling the effect of regulation exhaustion. It is Read more »

Related Blogs

Tony Bethell ClusterSeven

The Real GDPR Challenge is Sustainable Compliance

As organisations raced towards the compliance deadline for the GDPR, their focus appeared to be simply to identify the inventory of IT supported assets that hold GDPR sensitive data. While a reasonable first step, this approach is merely scratching Read more »

Greg Sim Glasswall Solutions

Proxy cyberwarfare, GDPR and blockchain – the prospects for security in 2018

The last year has been a significant 12 months in the short history of cyber security, with headline security breaches such as Uber and a scramble to come up with new approaches, particularly as the European Union’s General Data Protection Read more »

Christian Voigt Fidessa

For Infosec the Only Way is Global

With information security rapidly gaining prominence over the last few years legislators have jumped into action to improve safeguards and public confidence in IT systems. While information security concerns prevail across all industries, in Read more »

Richard Price TIBCO Software

Data reform to drive digital transformation

The General Data Protection Regulation (GDPR) narrative may often be framed around security breaches, but this headline-grabbing angle perhaps overlooks the new legislation’s broader role as a catalyst to support the digital transformation agenda at Read more »

Tomi Behm Tieto

Data portability – A Utopian GDPR Requirement?

One significant but less discussed aspect of the GDPR is data portability. It is a very complicated matter that CIOs, CISOs, IT managers, data architects, and other personal data controllers must research thoroughly. Data portability is introduced Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App