You’ve built your business and have your employees in place to deliver the success of your business. Through the process of bringing people into your company you’ve obtained all sorts of data from them and most of it is highly useful. Yet having access to a wealth of valuable personal data also brings a responsibility to ensure that it is securely held and used in a responsible manner. The General Data Protection Regulation (GDPR) is the latest effort to offer increased rights to individuals and to increase the organisational obligations of any companies that have access to their data.
The incoming regulations look set to bring in sweeping changes to how organisations handle the personal data of individuals. This obviously has a major impact on employers and your HR activities so it’s important to know how it will affect you. This short guide will give you an overview of how GDPR will affect business owners before and after it comes into effect.
What is the GDPR?
The GDPR is part of the EU Data Protection Regulation and it will replace the existing Data Protection Directive. The aim of the new regulation is to standardise and strengthen the rights of European citizens to data privacy. This means that any organisation that deals with people’s private data must meet new standards of transparency, security and accountability.
The onus is on data controllers (employers) and processors (responsible person conducting HR activities) to identify potential compliance issues within their organisation, to analyse the private data that is currently being held by the organisation, and to review the consent procedures by which employees agree to the retention of their personal data.
What are the important dates to remember?
The GDPR comes into effect on May 25, 2018. The UK Government has confirmed that the regulations will apply in the UK as it will still be a member of the EU at that time. This gives business owners just under a year to prepare for the new regulations to take effect.
What counts as personal data?
Information related to an employee such as names, photos, bank details, email addresses, personal information or medical records qualifies as personal data.
Do I have to get an employee’s consent to retain personal data?
Employee consent is generally not considered to be “freely given” due to the power imbalance between the employee and their employer. Indeed, where consent is given “in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
Companies may process employee data on the basis that it is necessary under their employee contract or to fulfil an employer’s legitimate interests. However, the conditions for consent have been strengthened so consent that was obtained as part of the terms and conditions of employment contracts may no longer suffice.
Explicit consent may need to be given by employees for the retention and processing of sensitive personal data so it’s important to assess this between now and May 2018. The GDPR also means that ‘data subjects’ have the right to withdraw consent at any time.
Security responsibilities of employers
Under the GDPR regulation, any data breach will need to be reported to the DPA within 72 hours, unless the data is encrypted or doesn’t identify individuals. This means you’ll need to review your current data breach reporting mechanisms. Employees who could potentially suffer harm from any breach will also need to be notified “without undue delay.”
It is important to review your security provisions and to consider any potential issues that could arise because of the way that you store data. Depending on the extent of the sensitive data you process, it may be necessary to appoint a Data Protection Officer to oversee data processing activities within your organisation.
What are the rights of my employees under GDPR?
Employees will be able to find out what HR-related personal data is being processed, why it is being processed and where it is being held. the Responsible Person for HR activities must also provide them with a free copy of any data that it holds upon request, so you must have a system in place that allows you to easily provide this information.
You will also need to ensure that any personal data is accurate, complete and up to date under the Data Quality Principle. This could have implications if employees are utilising self-service software so a review of how this information is processed is advisable. You also needs to notify employees why you are collecting their data and this data cannot be used for another purpose without notifying an employee.
The new legislation is designed to give individuals the right to access, correct and erase information that relates to them. So, your employees will be entitled to greater transparency in relation to their personal data and your reasons for retaining it.
What steps do I need to take?
The first step is to review your data protections processes and procedures and identify any areas of concern. Part of this process is to create an inventory of all the personal data that you hold and assess the reasons for its retention.
You’ll also need to reach out to your workforce and make them aware of the new rules and their rights. This will make it easier to obtain any consent you require to hold their sensitive data. You’ll need to look at how you acquire, obtain and record declarations of consent from your workforce.
It is also recommended that you review employment contracts and documents to look at whether this meets the requirements for consent going forward.
Most importantly, you need to start getting ready NOW. It is vital that you have a secure system in place that allows you to adopt a transparent and compliant approach going forward. Depending on the HR systems you use (paper, electronic, etc), this may be a much bigger job than you imagine so getting started early is the first step.
The GDPR also allows individual member states to implement more specific rules in relation to HR-related personal data meaning you’ll need to assess how this could impact you if you operate in more than one territory.
What will happen if I don’t comply with the new regulations?
The official GDPR website outlines the details of the new regulations and states that non-compliant organisations will face “heavy fines.” Your company could be fined up to 4 percent of your annual global turnover or €20 million (whichever is greater) for serious offences like not having obtained sufficient consent.
Smaller fines of 2 percent can be applied for failing to keep your records in order, failing to report a breach or not conducting impact assessments.
Help is here!
If you need help, guidance or more please book onto our GDPR session for employers without HR. The step by step sessions are bi-monthly starting on Wednesday 12th July 2017, they are a morning session so not impacting too much on your day. Book here:
If this is making you feel a bit overwhelmed, give us a call TODAY to arrange your no-obligation consultation. We might just surprise you!
Why Use Opt HR?
Firstly, we care and we want to help!
And we are totally experienced and professional about all people related issues, our helpful team get straight to the heart of the issue; saving you time and money.
‘Our message to you is: “we make time for you” and we do that by listening to your people issues and responding quickly.’
Visit our website www.opthr.co.uk for more information, you can also call our helpful team on 024 7615 8431
Our aim is to reduce the risks your business takes – enable you to make sensible, informed and justifiable decisions, and ultimately, to add financial value to your business.
Thank you for taking the time to read my blog.
Rachel Wade, FCIPD, Independant HR Consultant & The HR Excellence Coach, Opt HR Limited
OptHR – HR Expertise For Your Business