6 min read | 5 July, 2019 By Nick Hardy
Since the government’s new General Data Protection Regulations (GDPR) were introduced last year, businesses have been working hard to ensure they are compliant with the new legislation. The Information Commissioner’s Office (ICO) has the power to fine organisations found guilty of a data breach up to £20 million or 4% of their annual turnover and they regularly announce which firms have been penalised. The list of companies found guilty of nuisance calls and spam – as well as losing data – shows that the ICO has the smaller companies in its sights as much as larger firms.
To date, much of the emphasis in the press and business blogs has been on the use (or misuse) of marketing, prospect and customer information. However, it’s important to remember that the new rules apply to employee data, too. Information about your people is about as sensitive as it gets, and this is especially the case since GDPR rules were extended in May 2019 to cover Subject Access Requests (SARs) made by employees.
Here are the important topics we're going to cover in this article:
If your business holds information about a person, they can request access to this data. They can also request that this information is deleted and this is called 'the right to be forgotten'.
Since the new rules came into force, there has been an increase in the number of employees in the UK workforce making access requests and this is expected to grow as people become aware of the legislation.
It’s important to consider the implications for your business if the ICO decided that you have not handled a SAR properly. Alongside the financial damage inflicted by a potentially sizeable fine, your reputation could also take a hit, which could easily affect your recruitment and employee retention efforts. So, it's important that you prepare yourself by putting plans and processes in place, so you can manage SARs should an employee choose to make one.
As of May 2019 there have been four key changes to existing GDPR rules, and as a result of these many businesses will need to re-think the way they manage employee data. Here's what you'll need to do.
For organisations that use multiple software systems, spreadsheets and paper records to manage employee information, handling even a single SAR could be a headache - especially if an employee has been with a company for a number of years. Managing multiple SARs could very easily become a complete nightmare which wreak havoc with HR administrators' lives.
This is where dedicated HR management systems like Breathe can help. By centralising all employee information and documents within a single, password-protected system, HR admin staff and business managers can help mitigate the risk of a data breach, and at the same time ensure that if an employee does make an SAR all required information can be provided easily and quickly.
It’s important to look for a system for which every employee within an organisation has their own unique log-in. The ability to set different access and user permissions is just as vital. This ensures that people can only see what they are meant to see, and that HR administrators have complete control over what documents and information are visible to people.
If you do decide to investigate HR management systems that are available for small businesses, it’s worth considering those that are hosted in the cloud on your behalf, as cloud-based systems can provide a greater level of protection than those which are deployed internally on your own servers. Daily data backups, ensuring a server is secure and updating operating systems and security software can be extremely time-consuming and also very expensive. Employing dedicated IT staff to manage internal systems can be costly, even with a relatively new engineer commanding a big salary.
If a company suffers a data breach as a result of out-of-date server software or, for instance, a flawed firewall which has been penetrated via malware or a cyber attack (which is sadly all too common these days), then the ICO could deem a firm to have been negligent in terms of ensuring employee data is secure. A missed software update or an out-of-date license could result in a sizeable fine despite a business’ best intentions. Stating that you weren’t aware that your anti-virus software needed updating is unlikely to convince the ICO.
Cloud based software such as Breathe is hosted in modern data-centres provided by leading specialist hosting companies. These companies have invested millions in setting up facilities that are ring-fenced by many levels of security and managed around the clock by specialist teams of engineers. Routine admin – such as daily backups – are managed on your behalf. Breathe, for instance, is hosted by Amazon Web Services and their facilities are ISO 27001 accredited, meaning they have been independently certified to ensure security is at the very highest level.
At Breathe we provide a further level of protection, as we ourselves have been ISO 27001 accredited, certifying the processes we have in place for managing our customers’ employee data.
Before even thinking about software features or prices, the first question you should ask a provider is, “Can you prove to me that my employee data will be safe in your facilities?” If there’s any doubt, you should walk away.
These days, the majority of UK businesses are using cloud-based applications. According to the Cloud Industry Forum, 88% of IT and business decision-makers use one or more cloud-hosted apps, and 67% were keen to ramp up adoption last year.
If you’re not already using an HR software system like Breathe and are considering doing so, we recommend the following three steps.
Breathe provide a free, no-obligation 14-day trial to everyone. Yours is available via this link.