The way we manage data has changed beyond all recognition in the last few years. Filing cabinets are fast becoming a 21st Century dinosaur, no one uses rolodexes anymore and the vast majority of businesses are switching to the computer, online and cloud-based services. But the laws governing how that data is managed haven’t kept pace with this change. Until now.
Since the government’s new General Data Protection Regulations (GDPR) were introduced in 2018, businesses have been working hard to ensure they are compliant with the new legislation. The Information Commissioner’s Office (ICO) has the power to fine organisations found guilty of a data breach up to €20 million or 4% of their annual turnover and they regularly announce which firms have been penalised. These announcements underline the fact that the ICO has small companies and charities in its sights as much as larger firms.
To date, much of the emphasis in the press and business blogs has been on the use (or misuse) of marketing, prospect and customer information. However, it’s important to remember that the new rules apply equally to employee data. Information about your people is about as sensitive as it gets, and this is especially the case since GDPR rules were extended in May 2019 to cover Subject Access Requests (SARs) made by employees.
Good HR software is a valuable tool to help make sure you’re compliant with the new regulations.
If your business holds information about a person, they can request access to this data. They can also request that this information is deleted and this is called the right to be forgotten.
Since the new rules came into force, there has been an increase in the number of employees in the UK workforce making access requests and this is expected to grow as people become aware of their rights.
It’s important to consider the implications for your business if the ICO decided that you have not handled a SAR properly.
Alongside the financial damage, inflicted by a potentially sizeable fine, you could also suffer reputational damage which could affect your recruitment and employee retention efforts. It’s therefore important that you prepare yourself with plans and processes in place for managing SARs should an employee choose to make one.
As of May 2019, there have been a number of key changes to existing GDPR rules and as a result of these, many businesses will need to re-think the way they manage employee data.
Under GDPR, any data breach has to be reported to the Data Protection Act within 72 hours. This highlights the real issue of having all of your employee data within a spreadsheet or a filing cabinet.
There is no real way of knowing whether there has been a data breach. A filing cabinet has unlimited access to anyone who walks into that room and any data within a spreadsheet if it is not encrypted. It’s also impossible to know who has made copies of that spreadsheet and where they are now.
To prepare for the new rules, many organisations conducted an audit of their HR data, looking also at storage systems and how information is shared between people. For example, holding a photocopy of someone’s passport within in a filing cabinet or just saving a scanned copy onto a hard drive would raise some concerns. Using secure HR software means you can take back control of the data you hold.
It’s always been the case that employees are able to find out what HR-related personal data is being held. However, the new rules regarding SARs mean you must now provide them with this information for free upon request. It’s imperative now, more than ever, that you have a system in place that allows you to quickly provide this information.
Ask yourself the question, “how long would it take me to retrieve all the data I hold on one of my employees?” The answer to this question is: “without delay and at the latest within 30 days of receipt”. Removing the cost barrier so that you have to provide this information free of charge is highly likely to cause an increase in requests.
To remain compliant, you will need to ensure that all personal data stored is accurate and up to date. Any requests to update data must be dealt with quickly, again without delay and within 30 days.
It is also your responsibility as the data controller to make sure that the information you hold is regularly reviewed and any inaccurate records are corrected promptly.
Keeping data accurate also includes removing any data that is no longer required. Having the ‘right to be forgotten’ is now a common and accepted practice which GDPR has brought into law.
Therefore, do you have processes in place to make sure any records you no longer need are securely disposed of? This is tricky to be certain of if there is no centralised database of personal information.
The introduction of GDPR set a high standard for consent; it’s important to be transparent about the data you hold and how you’re using it.
Employee data can be retained and processed on the basis that it is necessary under their employee contract, for example holding someone’s National Insurance number or right to work in the UK documents.
However, GDPR strengthens the conditions for consent, meaning permission that was obtained as part of the terms and conditions of older employment contracts may no longer be enough.
Explicit consent may need to be given by employees for the retention and processing of sensitive personal data so it’s important to assess this and make sure you can prove you have gained sufficient consent. Since GDPR was introduced, employees have the right to withdraw consent at any time.
In June 2019, we co-hosted a webinar with the team from hr inspire – a leading HR consultancy firm - in which we discussed GDPR and SARs, exploring the legislation and the practical steps businesses can take to achieve compliance. The webinar was provided for charities, however, it’s equally applicable to businesses and is available via this link.
The ICO published numerous up-to-date resources about GDPR and SARs. Click here to visit their website.
If you’re not already using an HR software system like Breathe and are considering doing so, we recommend the following three steps.