In her latest newsletter, Elizabeth Denham, (the Information Commissioner) is encouraging all businesses to keep going with their preparations for GDPR (EU law – General Data Protection Regulation) coming into force in the UK and the rest of the EU on 25th May.
If you haven’t started preparing yet, you can’t afford to ignore it. Every business, even those with only one employee, will be a Data Controller for that employee’s personal data and as such will need to comply with GDPR. If you hold personal details of customers or if you market to prospective customers by phone or email, then you need to comply with GDPR for this data as well as your employee data.
The risks of non-compliance are high, depending on the nature of your business, you may get some very unwelcome publicity if people find out you’re using their data without their knowledge or consent. The Information Commissioner’s Office (ICO) will wield the power to issue fines of up to 4% of annual worldwide turnover for flagrant breaches. Just look at the pickle that Facebook is currently in, being criticised as much for having poor procedures and security as for the actual misuse (by others) of users’ data.
What is GDPR and why does it affect my business?
For anyone who needs a catch up, GDPR is imposing new stricter rules on how to collect, use and store personal data about individuals. Under GDPR people will have a right to know:
- who is holding their data
- why they need it
- what they are doing with it
- who has access to it
- how it is kept secure
- how long it will be held before being erased
This applies to all employee personal data even if you don’t hold any other types of personal data. Businesses will have stricter obligations to keep personal data up to date and secure, to keep comprehensive records of what they’re keeping and why, and to communicate this clearly to all individuals concerned.
Individuals will also have additional rights in relation to the privacy of their data, including, in certain circumstances the right to be forgotten, forcing you to delete their data, and the right to object to you holding their data at all.
What do I need to do to comply?
The first step is to carry out a comprehensive audit to find out what personal data you hold. The idea is to see whether there is any data you no longer need, or shouldn’t have in the first place, to check whether you need to ask for the person’s consent to continue to hold and use it, to assess whether you can improve how securely the information is held, or reduce the number of people who have access to it (to those that are absolutely necessary), and to have a spring clean to see if there’s information that should already have been deleted.
For employee data, you need to go through every category of personal data you hold about your existing employees, those that have left, as well as those who are currently in a recruitment process. You need to consider everything, from their phone number to their tax code, as well as information about sickness, disciplinaries, appraisals, qualifications, holidays, family leave – the list is quite long! For each piece of data you will need to think about why you hold it, what you do with it, who sees it, whether you need the consent of the individual to hold it, how securely it is kept and how long you plan to keep it.
You also need to identify whether you are holding any special category data, such as health data and racial origin data. These types of information have additional extra rules that you have to comply with in order to continue to hold them. There are also special rules about information about someone’s criminal convictions so if you carry out DBS checks as part of your recruitment process, you will need to be aware of the restrictions on holding this information.
For busy managers of small organisations, the employee data audit alone, can be very time consuming and complex never mind other personal customer or marketing data. This is where HR software like ours can help: With much of the hard work already done for you.
Tell employees about their data
Having worked through a list of employee personal data, you will then need to provide your employees with information about it. This doesn’t necessarily mean issuing new employment contracts, although you will need to generate a new Privacy Notice, this lets each employee know the outcome of your audit in relation to them – again citrusHR can help make that process swift and easy. Smaller organisations, with less than 250 staff, can just report on special category data, and data where there is a high risk to the individual if there is a data security breach, but you still have to go through the process of identifying this sort of information in your audit, and there is no hard and fast rule about what amounts to a high risk in this situation. We have therefore decided to create an HR Privacy Notice which reports to employees on all data held.
You will also need to hold the data securely and keep it up to date – so much easier in a cloud based system, as opposed to an old filing cabinet! Perhaps it doesn’t lock any more, and, even if it did, who has the key?
Repeat the same sort of process for customer data, telling customers and anyone else about the personal data you hold on them.
Make sure employees know about your new rules on using other’s data
And then, there are your employment policies. You will need to highlight your rules and procedures about data security, to all employees (this relates to both employees’ and customers’ data). This will probably involve some training and ensuring that documents like your Data Protection Policy are GDPR compliant. It’ll have a knock-on effect on other policies that refer to Data Protection too, e.g. a Remote Working Policy or an IT and Communications System Policy will need updating.
An HR support service like citrus will provide a comprehensive Staff Handbook for you. It’ll have up to date policies that are regularly reviewed and updated, and HR consultants on hand to speak to directly and answer your queries.
Keep everything up to date and accurate – incorrect data is not useful at the best of times and can be dangerous.
This is new law, and as such, guidance may change over time as the new system gets established and any problems are ironed out.
Every time you collect a new piece of personal data for your business, whether it concerns your employees, your customers or your soon to be customers, you will need to go through this sort of process again, making sure that you’re still following GDPR rules in relation to the new data.
HR software systems make it much easier to edit and change information without having to produce lengthy new paperwork. It’s good practice to keep records complete, centralised and easy to access, going forward this will make life much easier.
If you need a helping hand with streamlining your employee data, please click here. HR software keeps your employee data both highly accessible and highly secure. All data processing is automatically recorded, and any changes and requests are simple and quick to make.
HR support service
If you feel that you need some help and support updating your policies or generating privacy notices, please contact us on 0333 4440165 or email us help@citrusHr.com to speak to one of our friendly team who will be happy to tell you about our HR support service.