Loading profile data...

BLOG

GDPR and your employees

GDPR and your employees
Emma del Torto
Emma del TortoEffective Human Resource Management

Posted: Thu 5th Jul 2018

You've seen press headlines of massive fines, the right to be forgotten and getting everyone's written consent. Emma del Torto, Enterprise Nation member and founder of PitStopHR, shares a guide to help you understand the relationship with GDPR and being an employer.

Massive fines, the right to be forgotten, getting permission from everyone, and no more marketing emails. This is what the press have told us, but is this right? We've prepared a guide to help you understand how GDPR will affect you and your employees.

What is GDPR?

While there has been a lot in the news recently about GDPR, there's still a lot of confusion on how it actually impacts on businesses and their employees.

The reality is, that GDPR isn't too far away from the Data Protection Act that we were all familiar with. In short, build upon the solid foundations that you've already laid.

Yes, the upper limit of the fine for a breach has increased. But think about the epic fails that you know about with breaches in Data Protection (like leaving USB sticks on trains). Have any of these companies had the maximum fine under the Data Protection Act (£500,000)? No, the most a company has ever been fined is £400,000 and that was TalkTalk in 2016.

The upper limits are there for the really big breaches. For small businesses, it probably never going to get that bad.

Ask yourself 'who can access the data of my employees and customers?' If it's only people who really need to access it, then great.

If there is a breach, then just make sure you report it to the Information Commissioner's Office (ICO) within 72 hours of finding out about it. If you don't report it, then you could get fined for not telling the ICO.

What about the right to be forgotten?

Well, from conversations and questions we've been asked, this one has been the other big issue for businesses. 'What happens if my employees don't want to give their permission for me to have their data?'

Fear not my friend! We recommend that, where possible, you always use a different legal reason for processing people's data. This way, even if an employee says they don't want you to process their data, as long as you have a good reason to keep it, then you can. So, as long as the reason for you processing and keeping the data falls into one of the following, you can carry on as normal.

Reasons for processing data

  1. Contractual reasons
    a. Processing the information is necessary for the contract that you have with them

  2. Legal obligations
    a. Complying with the law

  3. Vital interests
    a. To protect someone's life

  4. Public task
    a .Processing is necessary for you to perform a task in the public interest; or

  5. Legitimate interests
    a. Processing is necessary for your legitimate interests or the legitimate interests of a third party

You still need to have a good reason for process and storing information, but now you just need to be more transparent about why you are collecting people's data.

A perfect example is when you buy something from a website and they automatically tick the boxes that given them consent to use your email for marketing purposes. That isn't an option anymore.

As a business you need people to opt IN to receiving these things. BUT, don't panic. If you already have an ongoing relationship with the person i.e. they are already your customer, then you don't need to get their consent all over again.

Requests to see data

Another change to the rules that you'll need to make provisions for is to do with requesting data.

If an employee requests data from their file (a Subject Access Request), for example 'I'd like copies of all of my performance reviews', you used to be able to charge an administration fee of £10 to do this. You also had 40 days to complete the request.

GDPR has changed this by removing the fees and giving businesses less time to respond. You now only have 30 days.

In real terms, what this means is you need to review the process that you have followed (or would follow, if you've never had one before) just to make sure that you can get the information to someone within 30 days.

'What happens if their request is complex?' I hear you ask. Well, in these scenarios let the individual know within one month of receiving their request that there will be an extension in the timescale and exactly why. These scenarios are normally few and far between.

Where to find more information

If you need more information on GDPR, the ICO are there to help you. Have a look at the website which gives practical guidance on handling GDPR, including specific guidance for small businesses. You can also give them a call. I promise they aren't scary.

If you are a brand new business and just thinking about employing your first employees, it's a great opportunity for you to get your contracts and staff handbook beautifully GDPR compliant.

So it's not all bad news but a great opportunity for you and your business to get it right.

Emma del Torto
Emma del TortoEffective Human Resource Management
Originally from London, Emma came to Wales to attend law school at Cardiff University in 1993 before qualifying as a solicitor in 1998, specialising in employment law. She also holds a Master’s degree in employment law. With over 20 years’ experience in employment law and HR, Emma established Effective HRM in 2011 with a mission of becoming the UK’s most cost-effective, personable and valuable HR service. Nine years on and she still feels passionately about her vision of creating a nation full of positive, proactive and empowered employers. Straight talking, pragmatic and a great team player, Emma focusses on delivering expert legal advice, combined with the preventative good practice of HR management and commercial realism. She’s particularly talented at getting to grips with complex issues quickly and resolving problems with a collaborative and solution focussed approach. Always striving for the next achievement, Emma is naturally creative and enjoys sewing, knitting and crocheting. She is also a keen swimmer. In fact, she’s set herself the rather ridiculous challenge of swimming in all 130 lidos in the UK. She’s a reluctant hill or coastal path walker but she does say that the company of good friends helps to take some of the pain away. Check out the full biog on our website

You might also like…

Get business support right to your inbox

Subscribe to our newsletter to receive business tips, learn about new funding programmes, join upcoming events, take e-learning courses, and more.