Environmental, Health and Safety News, Resources & Best Practices

GDPR: OHS Practitioners to Review How They Handle Personal Data

Written by EHS Insight Staff | April 23, 2018 at 3:53 PM

Pinsent Masons, an international law firm, gives us detailed information on an upcoming enforcement of personal data collection. The General Data Protection Regulation (GDPR) will affect organizations within the European Union (EU) and those managing EU citizen data.

The GDPR will become fully enforceable on May 25, 2018. 

OHS practitioners will need to carefully review how they obtain and handle personal data. The GDPR is set to apply in May 2018. OHS practitioners need to ensure that their data collection methods are compliant with the GDPR. 

Safety professionals have the potential to hold a considerable amount of personal data. This includes workers’ training records, information related to employee health issues, and documentation of any disabilities or special needs of their staff.

They also collect personal data when filling out accident reports and conducting investigations. Names, addresses, medical information, and more is often collected and recorded during these situations.

According to the article from Pinsent Masons, “the GDPR gives a very broad definition to 'personal data' to include any information relating to an identified or identifiable individual, whether directly or indirectly.”

The GDPR explains that OHS professionals can lawfully collect personal data where they have “obtained the unambiguous, freely given, informed and specific consent of data subjects for such processing.”

Careful thought must be given for processing personal data in each situation– otherwise, organizations could be dealt hefty fines. The GDPR could issue multi-million-pound fines for data protection breaches.

OHS professionals still have time to prepare for the GDPR. They should immediately assess all the categories of personal data they collect and ensure that their collection methods are in compliance with the GDPR.

At a minimum, organizations need to prove that all processing takes place as required by the data protection principles. They also need to provide evidence that there is a lawful basis for the processing of that data.

The same goes for collection of all future data. How it’s collected, where it is stored, how long it will be kept for, and for what purpose: this information needs to be communicated.

OHS practitioners might not fully understand what is being asked of them. They cannot simple collect data and use it when they want and how they want. Data collection is important in this profession, of course. After all, the point of collecting data during an investigation is to protect employees, to learn from recent incidents, and to make sure that others do not suffer from similar injuries when they can be prevented.

The GDPR is also trying to protect employees, but in a different way. Personal data and private information needs to be taken into account during safety investigations and in other workplace scenarios.

A better understanding of the GDPR requirements will help protect everyone. And workplaces won’t have to worry about a lawsuit, if the collection methods are in compliance.

For more information about the GDPR, visit www.eugdpr.org.