GDPR and your employees

You've seen press headlines of massive fines, the right to be forgotten and getting everyone's written consent. Emma del Torto, Enterprise Nation member and founder of PitStopHR, shares a guide to help you understand the relationship with GDPR and being an employer.

Massive fines, the right to be forgotten, getting permission from everyone, and no more marketing emails. This is what the press have told us, but is this right? We've prepared a guide to help you understand how GDPR will affect you and your employees.

What is GDPR?

While there has been a lot in the news recently about GDPR, there's still a lot of confusion on how it actually impacts on businesses and their employees.

The reality is, that GDPR isn't too far away from the Data Protection Act that we were all familiar with. In short, build upon the solid foundations that you've already laid.

Yes, the upper limit of the fine for a breach has increased. But think about the epic fails that you know about with breaches in Data Protection (like leaving USB sticks on trains). Have any of these companies had the maximum fine under the Data Protection Act (£500,000)? No, the most a company has ever been fined is £400,000 and that was TalkTalk in 2016.

The upper limits are there for the really big breaches. For small businesses, it probably never going to get that bad.

Ask yourself 'who can access the data of my employees and customers?' If it's only people who really need to access it, then great.

If there is a breach, then just make sure you report it to the Information Commissioner's Office (ICO) within 72 hours of finding out about it. If you don't report it, then you could get fined for not telling the ICO.

What about the right to be forgotten?

Well, from conversations and questions we've been asked, this one has been the other big issue for businesses. 'What happens if my employees don't want to give their permission for me to have their data?'

Fear not my friend! We recommend that, where possible, you always use a different legal reason for processing people's data. This way, even if an employee says they don't want you to process their data, as long as you have a good reason to keep it, then you can. So, as long as the reason for you processing and keeping the data falls into one of the following, you can carry on as normal.

Reasons for processing data

1. Contractual reasons
   a. Processing the information is necessary for the contract that you have with them

2. Legal obligations
   a. Complying with the law

3. Vital interests
   a. To protect someone's life

4. Public task
   a .Processing is necessary for you to perform a task in the public interest; or

5. Legitimate interests
   a. Processing is necessary for your legitimate interests or the legitimate interests of a third party

You still need to have a good reason for process and storing information, but now you just need to be more transparent about why you are collecting people's data.

A perfect example is when you buy something from a website and they automatically tick the boxes that given them consent to use your email for marketing purposes. That isn't an option anymore.

As a business you need people to opt IN to receiving these things. BUT, don't panic. If you already have an ongoing relationship with the person i.e. they are already your customer, then you don't need to get their consent all over again.

Requests to see data

Another change to the rules that you'll need to make provisions for is to do with requesting data.

If an employee requests data from their file (a Subject Access Request), for example 'I'd like copies of all of my performance reviews', you used to be able to charge an administration fee of £10 to do this. You also had 40 days to complete the request.

GDPR has changed this by removing the fees and giving businesses less time to respond. You now only have 30 days.

In real terms, what this means is you need to review the process that you have followed (or would follow, if you've never had one before) just to make sure that you can get the information to someone within 30 days.

'What happens if their request is complex?' I hear you ask. Well, in these scenarios let the individual know within one month of receiving their request that there will be an extension in the timescale and exactly why. These scenarios are normally few and far between.

Where to find more information

If you need more information on GDPR, the ICO are there to help you. Have a look at the website which gives practical guidance on handling GDPR, including specific guidance for small businesses. You can also give them a call. I promise they aren't scary.

If you are a brand new business and just thinking about employing your first employees, it's a great opportunity for you to get your contracts and staff handbook beautifully GDPR compliant.

So it's not all bad news but a great opportunity for you and your business to get it right.