Like me, you have probably been plagued over the last six months with offers of reports, consultancy services, webinars and conferences about the apocalyptic effects of GDPR (General Data Protection Regulations) and the prospect of €20 million fines.
I’m no expert on this (that’s a disclaimer!), but the truth is, there is nobody who knows all the answers yet, if they ever will.
There are still differing opinions about the impact of these regulations which stem from the EU and will be implemented (by 25 May 2018) into UK law when the Data Protection Bill finally passes through parliament.
The purpose of this blog is to set out the essentials that need to be carried out in a typical SME organisation (large organisations are probably well on with all this) in regard to the use of employee data. The same principles will apply to other personal data, for instance on customers or clients, about which you may need more specialist advice.
There is lots of ground I won’t cover, but if you want an overview, this is my favourite from the European Commission, and if you want more detail, perhaps you are an HR professional responsible for this stuff, try this 35 minute webinar.
The underlying message is that data protection needs to become proactive, and to help you do this, here are three ‘musts’ and two ‘shoulds’:-
- A ‘privacy statement’ ‘must’ be given to employees whenever you collect data.
At the moment you probably rely on a data processing statement in your contract of employment. This will not be sufficient under the GDPR which requires you to tell data subjects about the lawful basis for using the data (with employee data this is usually for compliance, performance of a contract or because of your legitimate business interests – which you must outline), your retention policy, and their rights in relation to their personal data. etc.
You can provide this notice via your website, intranet or Staff Handbook, but as many organisations already do with Health and Safety, it is advisable to make specific reference to it when collecting personal data and obtain evidence that it has been read.
You may also want a shorter version for use when recruiting.
- Responding appropriately. You ‘must’ keep a record of any personal data protection breach, including its effects and remedial action you have taken. Even the loss of a mobile phone or laptop could amount to a breach.
It may need recording. It will need reporting to the Information Commissioner within 72 hours if it’s likely to cause a risk to the rights and freedoms of individuals, and where the risk is regarded as ‘high’, individuals must be told.
You must also respond appropriately to subject access requests (SARs), the right to be forgotten, and requests for corrections or restrictions etc.
- You ‘must’ make sure you have adequate contracts with third party data processors (pay bureau and recruitment consultants being two of the most common). You will want assurances that they only process data you provide to them on written instructions, that staff involved with your data are subject to confidentiality agreements, and that they have adequate technical arrangements to ensure compliance.
Sample contract clauses have been promised by the Information Commissioner’s Office (ICO).
- Underlying much of the GDPR, is a new data protection principle of ‘Accountability’. Can you demonstrate that you take appropriate steps to protect the personal data of employees and comply with the requirements of the regulations.
You are going to have difficulty demonstrating this if you have don’t even know what personal data you use. You ‘should’ carry out a personal data audit to help you demonstrate compliance.
You will probably want to record what, where it comes from, who handles it, where it is stored, and two technical points, what is the lawful basis for using each item and how long do you keep it (retention).
An audit is not compulsory, but without it you’ll have trouble doing some of the other things you have to do. A couple of sides of A4 may well do this for many SMEs, and it should enable you to identify risks which can be mitigated.
- You ‘should’ appoint a responsible person (it might be you!) or know where you can go for advice when you need it. If your core business involves data processing, or you are involved in large scale processing of the special categories of data, then you must appoint a Data Protection Officer.
If this is not the case, you may find it useful to have one person responsible for data protection issues, with a key role to educate and train other staff, but this will not be a requirement for many small businesses.
Is that all there is to it? No, but an audit, a well drafted privacy statement, and regular Board level reviews and staff training/communication are likely to ensure that most SMEs who are only processing employee personal data will be able to show compliance with the 6 + 1 (Accountability) GDPR data processing principles.
Yes, there is much more including how you deal with transferring data outside the EU, responding to records of criminal convictions, automated decision making, personal data relating to children etc. These are unlikely to be issues for most small businesses, so complex policies and procedures are probably not necessary.
If you want to sort all this out yourself, there is a self-assessment tool available on the Information Commissioner’s website, although as you might expect, it’s stronger on questions than it is on answers.
You may have also noticed (!) that there are plenty of consultants like ourselves, ready to assist.
Finally, what about those €20 million fines we mentioned at the beginning, and nearly every other communication about the GDPR has headlined? There have been very few data protection convictions to date, and the evidence is that the ICO is not seeking to be over zealous in the future either.
So, this is not an issue to be driven by the prospect of fines or criminal convictions. Its far more positive to see it as an opportunity to review systems and assure yourself that the data you are collecting is necessary.
We live in an age where people are becoming increasingly conscious about the security of their personal data and taking these matters seriously will increase employee confidence and enhance your employee brand.
Ken Allison | 05 March 2018 | Paradigm Partners | www.paradigmpartners.co.uk
Ken Allison is an engaging trainer and speaker who manages to make his topics, on handling employment law related people issues and other HR stuff, highly interactive, challenging, entertaining, and above all, relevant to the 21st Century executive. Ken uses his understanding of managing businesses to show managers what they ‘can do’ rather than what they ‘cannot do’.
Through his firm’s ‘ExecutiveHR’ service, Ken also provides telephone based support services to businesses throughout the UK.
This blog is not a substitute for taking legal advice!