This is a big deal.
Don’t switch off just because we’ve mentioned Data Protection. This is possibly one of the biggest changes to affect every business in the UK.
It will also affect all sorts of aspects of your business. The most obvious area is your marketing and sales activities, but it will also affect how you deal with the personal data of employees which is what we here at citrusHR are taking very seriously.
It’s a new law and it’s called the GDPR.
A new law dealing with data protection across Europe (the General Data Protection Regulation – GDPR) is coming into force in the UK in May 2018, even though Brexit negotiations will be in full flow by then. It builds on existing data protection law in the UK and primarily contains increased rights for individuals over the use of their personal data, more obligations on those who obtain that data – data controllers, like you as employers – and more obligations on those who process that data – data processors, like citrusHR.
There will also be much stiffer penalties and fines for failing to follow this new law, to ensure that everyone takes it seriously.
How does it affect the data I hold on my employees?
The detail surrounding the holding and processing of employee data is not yet fully clear.
In the next few months we expect to get more guidance on this. Specifically, we will be looking at what sort of consent employees will need to give and whether employers will be able to rely on other grounds for using that data to avoid the need for individual consent. We’ll also be looking at what sort of exemptions will be granted for various categories of personal employee data.
3 key changes to be aware of…
1. Increased rights for individuals
This change comprises a number of measures that build on existing obligations. The key points to note that affect most small businesses, and specifically employee data are:
- Telling individuals what information you hold about them in a short, clear, easy to understand and access way.
- Individuals continue to have a right to ask organisations to provide details of the personal data that is being held by them, but the change requires it to be provided free of charge and within one month in most circumstances
- Individuals will be entitled to have personal data corrected if it is inaccurate or incomplete, within one month of the request to put it right.
- Individuals will now have a ‘right to be forgotten’ and can request that their personal data is removed. This is not going to be unlimited so we expect that it may not apply to some sorts of employee data.
- Individuals will also have the ‘right to object’ which means you will be required to inform them of their right to object when you first communicate with them about what data you are using and why.
There are other rights for individuals under the GDPR but these are the main ones that may affect employee data.
2. Increased accountability for controllers and processors
In practice this will mean that businesses will need to review comprehensively all systems and processes in relation to data processing, to make sure that they comply with these increased responsibilities towards individuals, and to minimise the risks of breaches of their rights.
There is also a new requirement to notify breaches to the Information Commissioner when first becoming aware of them, and in some cases to notify the individuals affected. Failure to do this itself is a breach of the law which can carry monetary penalties.
3. Increased penalties for breaches
Much of the attention surrounding GDPR has focused on the significantly increased levels of fines for breaking the GDPR. The maximum fine levels will be up to 4% of annual worldwide turnover or 20 million Euros, whichever is the greater. This shows just how seriously businesses should take data compliance.
Whilst this is a very technical area, with more detailed guidance yet to be given, the overarching principles we have set out above are clear and confirmed.
We are also working on the basis that there are unlikely to be any significant exemptions for smaller organisations, although we will watch carefully and update you on all of the guidance coming from the Information Commissioner’s Office.
It’s very likely that businesses will need to make changes to their employment contracts and data protection and privacy policies to comply with the new law. This is something we will be doing for citrusHR customers. Here at citrusHR we will be working with our customers over the coming months to help them make all the necessary changes.
If you would like to have a chat about how we can help you protect your business, please get in touch on 0333 444 1065 or get in touch here.