10 Jun GDPR FOR EMPLOYERS: WHAT YOU NEED TO KNOW
With just two months to go until the crucial May 25 deadline, General Data Protection Regulation (GDPR) is driving debate and raising concerns across UK businesses in equal measure. The ramifications of GDPR vary widely depending on industry, business size and the manner of data collection, from customer details to staff records. For employers, however, a thorough review of the company’s current practices is inevitable in order to be compliant and avoid potentially crippling fines.
Introducing our newest consultant
We’re excited to welcome our new HR consultant to the team this April, who holds a BA in Law from the University of Central Lancashire and will be working on legal compliance with our clients. To that end, we advise that one of the biggest considerations for employer GDPR is paperwork.
There is a lot of scaremongering at the moment but the truth is there don’t have to be as many changes as people may think – for many employers, it’s the documentation where they fall down. For employers, this means that there will be a lot more accountability as of May 25. The focus should now be on mapping out all data, what is done with it and the legal implications, as well as ensuring that all changes are made clear to employees.
Mapping out your data
With the GDPR set to replace the current Data Protection Act 1998 (DPA), HR managers need to be clearer with their staff about how their data is handled. This is where documentation comes in. Rather than outlining these details in an employee contract, wherein a new employee more or less has to consent to their data being used, employers are now advised to draw up privacy notices. When a new staff member starts, he or she may not be aware of how much sensitive data is being stored, for example medical records or trade union memberships. Under GDPR, personal employee data can only be processed under the following conditions:
• It is processed in the genuine interests of the employer
• Consent is freely given by informed employees, who have been given unambiguous guidance
• It is a requirement of the employee contract that an employee gives consent
It is therefore advised that employers draw up a new privacy notice and/or update any other staff communications for existing employees such as the staff handbook or local intranet system.
What new rights do employees have?
Though there are already rules under the DPA regarding legal processing of data, these will become stricter. In particular, staff will now have greater access to their own personal records. For example, previously a staff member would have to pay a £10 fee to access information a company has stored on him/her (for example, to use in a tribunal) and this process could take up to 40 days. The maximum access period has now been shortened to 30 days, and employees no longer have to pay.
Employees also have more rights as to what can be done with their data; that is they can choose to have it rectified, deleted or frozen. However, this may be detrimental to a tribunal case. Employers should therefore ensure all changes in data handling are made abundantly clear in documentation to minimise the risk of unlawful practices.
What to do next
For some companies, a breach of GDPR could cost up to €20 million or 4 per cent of the annual turnover. Larger firms may wish to consider taking on a Data Protection Officer (DPO) to audit staff data. A qualified DPO should advise the Information Commissioner’s Office within 72 hours if he/she believes there are any potential data breaches.
Not every company will require a DPO however, particularly if there are already teams in-house whose role is very similar. Managers should be prepared to see a potential increase in employee requests for data access, and manage this process efficiently. Essentially, there are three key changes we should be making now to prepare for GDPR. We need to work with IT security teams to audit all data and data processing. We should be training our staff about the new regulations for GDPR, and we should be making them aware of their rights. Our staff are the people who will be dealing with any breaches, so it’s essential that they’re informed.
Prepare for GDPR with Altum HR
We will be offering our clients a GDPR standard policy bolt on from April to ensure they are ready for the May 25 GDPR deadline. If you have any questions on GDPR or our new service, please contact email@example.com or call 01925 552333.