Over a year ago, General Data Protection Regulations (GDPR) arrived on the statute book in the UK – and the penalties come into force on 25th May 2018. The regulations will apply across the EU and, despite Brexit looming, we are still adopting these measures!
Getting ready for GDPR
So why are very few SME businesses prepared? A survey carried out by Blanco Technology Group found that 43% of businesses have not started their data protection gap analysis – an essential first step.
Unless you have been a victim of your personal data being hacked and then abused – perhaps by identity fraudsters – then you may well see the new legislation as an irritation.
Unfortunately, following a breach, the fines for non-compliance have been designed to hurt significantly. The highest fine for the top tier is €20,000,000 – or up to 4% of global turnover. Ouch!
Most employers need to be registered with the ICO (Information Commissioner’s Office) because they keep records of personal data which makes their staff identifiable. Frequently, this data will be shared with others, such as payroll providers.
If you have not registered, or are unsure if you need to, the ICO has a simple questionnaire which will help. The new GDPR expands on the current Data Protection Regulation. But don’t panic! With a bit of planning and a bit of help, you will be able to ensure you are on the right side of the law on this.
What kind of data?
The information we are talking about is any personal data of employees and potential employees. This includes data generated from employees, their managers, third parties and personal data stored across multiples sites – including on computers, drives, cloud drives or systems, laptops and email.
What will you need to change?
First things first, take a good look at where and how HR data is stored and managed in your business, so you understand where you could fall foul of the new regulations. The main things to be aware of are:
The biggest thing to note when it comes to HR changes is about the notion of consent. Currently, consent to store and share data is assumed by the virtue of applying for a job or signing an employment contract. Under the new regulations, consent must be given freely, be specific, informed and unambiguous. It must also be separate from other terms and conditions such as the employment contract.
For example, employers are currently required to provide a privacy notice to job applicants that sets out how the data on them will be used and stored. The new rules mean that the applicant must be informed how long the data will be stored for, and how they can delete or rectify any data.
2. ‘fess up if you breach
The GDPR imposes a new mandatory breach reporting requirement. Where there has been a data breach (such as an accidental or unlawful loss, or disclosure of personal data), the employer will have to notify and provide certain information to the data protection authority within 72 hours.
3. Be ready for more subject access requests
The other change affects subject access requests. These can be genuine, but sometimes used by disgruntled employees to go on a fishing trip and see if they can find the email that proves you hated them!
Currently, they have to pay £10 within 40 days, but this is changing. They will no longer need to pay anything unless truly vexatious and you have a calendar month to respond.
The HR Dept can help you prepare
The GDPR will affect all aspects of your business. Therefore, our advice would be to look at the 12-step plan on the Information Commissioner’s Office website and start to prepare for your whole business.
With regards to the HR changes needed within your business, we will be providing you with all the documents, assistance and resources you need – well ahead of the changes.
Time flies and there will be a lot to do between now and May 2018. But, as ever, The HR Dept will be here to help.