We use cookies to make your experience of our website better. Some of these are set by third party Google Analytics to help us analyse website traffic. To comply with privacy regulations, we require your consent to set these cookies. If you continue to use the site without selecting an option we will assume you are happy for us to use cookies.

Calling All Health And Safety Professionals... Are You GDPR Ready?

Calling All Health And Safety Professionals... Are You GDPR Ready?

With only a month to go until GDPR is here, those responsible for Health and Safety should consider whether they need to do any further work to demonstrate compliance with the new era of data protection law.

It is inevitable that GDPR will affect organisations of all types and sizes as most businesses will already gather or process personal data in some form or another. Those responsible for ensuring implementation of an organisation’s Health and Safety management system are likely to have a large volume of personal data about employees, customers and third parties, including contractors and suppliers. The process of identifying what data your business holds, which will have already been undertaken by many, is only the first step in demonstrating compliance with GDPR.

GDPR distinguishes between “personal data” and “special categories of personal data”. In short, personal data means any information which makes a person identifiable. The special category of data is broadly similar to the idea of sensitive personal data under the current regime. Health and Safety related data covered by GDPR can range from employees’ names and other personal details to personal information held on smart photocards. Occupational health records and witness statements could, for example, contain data in the special category, such as information relating to an individual’s health, genetics or ethnicity. Accident reports are also likely to contain personal data and may even contain medical or other information falling into the special category of data. Acknowledging that many organisations are reducing the amount of paper files they hold as we become more digital, GDPR applies to both automated data and manual systems. Personal data therefore also includes CCTV, data from wearable technology and mobile phone locations.

It is clear that as our reliance on technology develops, data security issues will continue to challenge modern businesses. Health and Safety managers should assess the effectiveness of their IT and cyber security infrastructure because some personal data breaches must be notified to the Information Commissioner’s Office (ICO) and failure to do so can attract significant fines. Continual assessment of these systems’ effectiveness is advised in line with GDPR’s new “accountability principle” which requires organisations to demonstrate how they comply with the principles of data protection. In practical terms, this means that accountability for personal data is extended more widely - similar to the way in which Health and Safety is a shared responsibility at all levels of a business.

Although the likelihood of large fines has been played down by the ICO, GDPR allows for fines of up to 20,000,000 EUR or 4% of a company’s total worldwide turnover to be imposed for non-compliance. This is a significant increase from the maximum fine of £500,000 under the Data Protection Act 1998. The legislation may also give rise to civil claims for damages and complaints to the ICO. In addition to levying fines, powers of the ICO under GDPR include warnings and reprimands, bans on data processing and ordering the rectification or erasure of data.

Click here for a quick overview of the Top 10 things you need to know about GDPR.

By Jennifer Macleod
Trainee Solicitor

Burness admin