If you know all about #GDPR, you probably don’t need to read this article!

Like me, you have probably been plagued over the last six months with offers of reports, consultancy services, webinars and conferences about the apocalyptic effects of GDPR (General Data Protection Regulations) and the prospect of €20 million fines.

I’m no expert on this (that’s a disclaimer!), but the truth is, there is nobody who knows all the answers yet, if they ever will.

There are still differing opinions about the impact of these regulations which stem from the EU and will be implemented (by 25 May 2018) into UK law when the Data Protection Bill finally passes through parliament.

The purpose of this blog is to set out the essentials that need to be carried out in a typical SME organisation (large organisations are probably well on with all this) in regard to the use of employee data.  The same principles will apply to other personal data, for instance on customers or clients, about which you may need more specialist advice.

There is lots of ground I won’t cover, but if you want an overview, this is my favourite from the European Commission, and if you want more detail, perhaps you are an HR professional responsible for this stuff, try this 35 minute webinar.

The underlying message is that data protection needs to become proactive, and to help you do this, here are three ‘musts’ and two ‘shoulds’:-

  1. A ‘privacy statement’ ‘must’ be given to employees whenever you collect data.

    At the moment you probably rely on a data processing statement in your contract of employment. This will not be sufficient under the GDPR which requires you to tell data subjects about the lawful basis for using the data (with employee data this is usually for compliance, performance of a contract or because of your legitimate business interests – which you must outline), your retention policy, and their rights in relation to their personal data. etc.

    You can provide this notice via your website, intranet or Staff Handbook, but as many organisations already do with Health and Safety, it is advisable to make specific reference to it when collecting personal data and obtain evidence that it has been read.

    You may also want a shorter version for use when recruiting.

  2. Responding appropriately. You ‘must’ keep a record of any personal data protection breach, including its effects and remedial action you have taken.  Even the loss of a mobile phone or laptop could amount to a breach.

    It may need recording.  It will need reporting to the Information Commissioner within 72 hours if it’s likely to cause a risk to the rights and freedoms of individuals, and where the risk is regarded as ‘high’, individuals must be told.

    You must also respond appropriately to subject access requests (SARs), the right to be forgotten, and requests for corrections or restrictions etc.

  3. You ‘must’ make sure you have adequate contracts with third party data processors (pay bureau and recruitment consultants being two of the most common). You will want assurances that they only process data you provide to them on written instructions, that staff involved with your data are subject to confidentiality agreements, and that they have adequate technical arrangements to ensure compliance.

    Sample contract clauses have been promised by the Information Commissioner’s Office (ICO).

  4. Underlying much of the GDPR, is a new data protection principle of ‘Accountability’. Can you demonstrate that you take appropriate steps to protect the personal data of employees and comply with the requirements of the regulations.

    You are going to have difficulty demonstrating this if you have don’t even know what personal data you use.  You ‘should’ carry out a personal data audit to help you demonstrate compliance.

    You will probably want to record what, where it comes from, who handles it, where it is stored, and two technical points, what is the lawful basis for using each item and how long do you keep it (retention).

    An audit is not compulsory, but without it you’ll have trouble doing some of the other things you have to do.  A couple of sides of A4 may well do this for many SMEs, and it should enable you to identify risks which can be mitigated.

  5. You ‘should’ appoint a responsible person (it might be you!) or know where you can go for advice when you need it. If your core business involves data processing, or you are involved in large scale processing of the special categories of data, then you must appoint a Data Protection Officer.

    If this is not the case, you may find it useful to have one person responsible for data protection issues, with a key role to educate and train other staff, but this will not be a requirement for many small businesses.

Is that all there is to it?  No, but an audit, a well drafted privacy statement, and regular Board level reviews and staff training/communication are likely to ensure that most SMEs who are only processing employee personal data will be able to show compliance with the 6 + 1 (Accountability) GDPR data processing principles.

Yes, there is much more including how you deal with transferring data outside the EU, responding to records of criminal convictions, automated decision making, personal data relating to children etc.  These are unlikely to be issues for most small businesses, so complex policies and procedures are probably not necessary.

If you want to sort all this out yourself, there is a self-assessment tool available on the Information Commissioner’s website, although as you might expect, it’s stronger on questions than it is on answers.

You may have also noticed (!) that there are plenty of consultants like ourselves, ready to assist.

Finally, what about those €20 million fines we mentioned at the beginning, and nearly every other communication about the GDPR has headlined?  There have been very few data protection convictions to date, and the evidence is that the ICO is not seeking to be over zealous in the future either.

So, this is not an issue to be driven by the prospect of fines or criminal convictions.  Its far more positive to see it as an opportunity to review systems and assure yourself that the data you are collecting is necessary.

We live in an age where people are becoming increasingly conscious about the security of their personal data and taking these matters seriously will increase employee confidence and enhance your employee brand.


Ken Allison | 05 March 2018 | Paradigm Partners | www.paradigmpartners.co.uk

Ken Allison is an engaging trainer and speaker who manages to make his topics, on handling employment law related people issues and other HR stuff, highly interactive, challenging, entertaining, and above all, relevant to the 21st Century executive. Ken uses his understanding of managing businesses to show managers what they ‘can do’ rather than what they ‘cannot do’.

Through his firm’s ‘ExecutiveHR’ service, Ken also provides telephone based support services to businesses throughout the UK.

This blog is not a substitute for taking legal advice!


How useful is graphology in recruitment, and how to improve your hiring success rate?

In a recent survey published by The Academy for Chief Executives respondents indicated that recruiting, retaining and developing of quality people was the No 1 concern for SME leaders in 2018, beating even the uncertainty of #BREXIT!

This struck me, as the suggestion is that most SME’s pay attention to compliance issues, and other aspects of managing people often take second place – see People Skills: building ambition and HR capability in small UK firms.

Compliance is my area of expertise, and you may have heard me presenting, training or writing about employment law related topics, but this is not because I think it is the most important part of people management.

So, I thought I’d write about recruitment for a change, because this is probably the most important area where a few simple steps can significantly improve an organisation’s performance at getting the right people the first time.

Recruiting staff is an expensive and risky process, and is the area that professional HR advice can often make significant improvements producing an immediate return on investment.

Three questions that will help you improve your recruitment processes.

Firstly, do you know whether you recruit well or not?  Put another way, is there a problem you need to solve?

If recruitment activity is taking a lot of your time, it can be caused by:-

  • speed of growth,
  • skills shortages in your sector or geographical area,
  • reward package,
  • approach to learning and development – you’re not developing people enough,
  • ‘time to fill’ – your process is just too slow and people go elsewhere (in a 2016 survey 41% of respondents said this had lost them candidates in the previous 12 months), or
  • the lack of clarity about the people characteristics you want.

There is a measure which will help you understand how you are doing compared to others.  In 2016 (link for CIPD members only), the median rate for labour turnover was 16.5% – Number of leavers p.a. / average number of employees X 100.

The median figure relates to 8 people leaving each year in a 50-people organisation and other evidence suggests that most of these leave within their first year.

This median figure has risen in the last few years, and may not be reliable as a long-term indicator.  My own guidance is that if turnover exceeds 10% p.a., you need to understand why.

Secondly, do you understand clearly what you are looking for?  Getting this right is the number 1 thing that can help you reduce turnover.

It’s very hard to undo a mistake we make in recruitment.

Many of us get recruitment wrong because we don’t know what we are looking for, so we make our recruitment decisions in the first 30 seconds of an interview, and spend the rest of our time trying to justify our initial impression.

The traditional way of defining what you are looking for is the ‘Person Specification’, often detailing the skills, knowledge, experience and other attributes that a candidate needsDon’t go overboard on experience, as it often is not a good indicator of future performance – it’s their skill you should be looking at, not how many years they have done it!

A decent ‘Person Spec’ will work wonders, and if you don’t already do them, take a look at my guide at http://bit.ly/personspecs .

Another way of defining what you are looking for is to think about the behaviours that you would expect a successful candidate to exhibit.  I often ask managers to think of the best performer in a role that they have seen.

Imagine if they were watching a video of them at work, what would they observe them doing.  This is the start of designing what is called ‘competency based’ assessment or interviewing.

Thirdly, having defined what you want, take a look at the design of your recruitment process.

There are estimates that suggest that the average (even well structured) interview is only 50% reliable at predicting future performance.

You can significantly improve this by using the competency based techniques described above, and you can pick up my guide on how to turn the video observations into interview questions at http://bit.ly/competencybasedinterviewing .  Don’t worry, it’s free and you won’t have to leave me an email address!

Also, take a look at this great collection of competency based questions I saw recently on LinkedIn

Try and think about building in other processes.

A client rang me to for some psychometric profiling, after being frustrated at losing two new Marketing Managers in a 6-month period.  The problem appeared to be simply that the new people were just not fitting in to a family business with 50 employees.

Having defined more clearly what we were looking for, we designed a simple intervention to allow us to observe how candidates were likely to fit in.  This involved organising a Q&A session with all the candidates and the marketing team over lunch before the interviews.

The best way to assess future performance is to organise a workplace simulation, and this is precisely what the Q&A session was (sometimes they are called ‘job auditions’).  An opportunity to observe the candidates doing what they would have to do to succeed at the job.

This was a low-cost intervention.  Others, such as, psychometrics, there personal interests, or the views of referees, may be useful, but the evidence is that length of experience is a less reliable indicator of future performance than graphology (much favoured by the French!).

In 2016, the median cost of recruiting a senior manager was estimated to be about £6000, but since this includes internal promotions, the real cost for many is likely to be double that.

At this level of investment, it is obvious to see how spending time being clearer about what you are looking for and designing your selection process around that, could help you get the right people first time, and reduce the very expensive cost of people who leave in the first year.


Ken Allison | 19 September 2017 | Paradigm Partners | www.paradigmpartners.co.uk

Ken Allison is an engaging trainer and speaker who manages to make his topics, on handling employment law related people issues and other HR stuff, highly interactive, challenging, entertaining, and above all, relevant to the 21st Century executive. Ken uses his understanding of managing businesses to show managers what they ‘can do’ rather than what they ‘cannot do’.

Through his firm’s ‘ExecutiveHR’ service, Ken also provides telephone based support services to businesses throughout the UK.