GDPR guide overview

GDPR overview


Data has changed

The way we manage data has changed beyond all recognition in the last few years. Filing cabinets are fast becoming a 21st Century dinosaur, no one uses rolodexes anymore and the vast majority of businesses are switching to the computer, online and cloud-based services. But the laws governing how that data is managed haven’t kept pace with this change. Until now.

GDPR Guide Stats-min (1)Since the government’s new General Data Protection Regulations (GDPR) were introduced in 2018, businesses have been working hard to ensure they are compliant with the new legislation. The Information Commissioner’s Office (ICO) has the power to fine organisations found guilty of a data breach up to €20 million or 4% of their annual turnover and they regularly announce which firms have been penalised. These announcements underline the fact that the ICO has small companies and charities in its sights as much as larger firms.

To date, much of the emphasis in the press and business blogs has been on the use (or misuse) of marketing, prospect and customer information. However, it’s important to remember that the new rules apply equally to employee data. Information about your people is about as sensitive as it gets, and this is especially the case since GDPR rules were extended in May 2019 to cover Subject Access Requests (SARs) made by employees.

Good HR software is a valuable tool to help make sure you’re compliant with the new regulations.

Subject Access Request


What is a Subject Access Request (SAR)?

If your business holds information about a person, they can request access to this data. They can also request that this information is deleted and this is called the right to be forgotten.

Since the new rules came into force, there has been an increase in the number of employees in the UK workforce making access requests and this is expected to grow as people become aware of their rights.

It’s important to consider the implications for your business if the ICO decided that you have not handled a SAR properly.

Alongside the financial damage, inflicted by a potentially sizeable fine, you could also suffer reputational damage which could affect your recruitment and employee retention efforts. It’s therefore important that you prepare yourself with plans and processes in place for managing SARs should an employee choose to make one.

GDPR Guide SARs-min

SAR changes and your responsibilities

As of May 2019, there have been a number of key changes to existing GDPR rules and as a result of these, many businesses will need to re-think the way they manage employee data.

  1. You must provide all the personal data that you hold about the employee making a SAR, including anything held in an HR system, on paper, in spreadsheets, email correspondence and every other type of record.
  2. The scope of a SAR is far reaching and includes emails that refer to an employee; their performance reviews, job interviews, payroll records, absence records and any information about disciplinaries.
  3. The data must be provided free of charge to your employees.
  4. All data must be provided to an employee in a secure format. If you provide the data electronically, it needs to be password protected.
  5. Data must be provided in an easily accessible format.
  6. The data needs to be easy to read and understand.
  7. Businesses must now respond to SARs in 30 days
    (not 40 which was previously the case).
  8. SARs no longer have to be made in writing.
  9. Employees are free to make requests as they see fit and this includes verbal requests.

Five questions


1. Is the data you’re responsible for actually secure?

 Under GDPR, any data breach has to be reported to the Data Protection Act within 72 hours. This highlights the real issue of having all of your employee data within a spreadsheet or a filing cabinet.

There is no real way of knowing whether there has been a data breach. A filing cabinet has unlimited access to anyone who walks into that room and any data within a spreadsheet if it is not encrypted. It’s also impossible to know who has made copies of that spreadsheet and where they are now.

To prepare for the new rules, many organisations conducted an audit of their HR data, looking also at storage systems and how information is shared between people. For example, holding a photocopy of someone’s passport within in a filing cabinet or just saving a scanned copy onto a hard drive would raise some concerns. Using secure HR software means you can take back control of the data you hold.

GDPR Guide Q1-min

2. How quickly can you access personal data?

It’s always been the case that employees are able to find out what HR-related personal data is being held. However, the new rules regarding SARs mean you must now provide them with this information for free upon request. It’s imperative now, more than ever, that you have a system in place that allows you to quickly provide this information.

Ask yourself the question, “how long would it take me to retrieve all the data I hold on one of my employees?” The answer to this question is: “without delay and at the latest within 30 days of receipt”. Removing the cost barrier so that you have to provide this information free of charge is highly likely to cause an increase in requests.

GDPR Guide Q2-min

3. Is the data you hold accurate and up to date?

To remain compliant, you will need to ensure that all personal data stored is accurate and up to date. Any requests to update data must be dealt with quickly, again without delay and within 30 days.

It is also your responsibility as the data controller to make sure that the information you hold is regularly reviewed and any inaccurate records are corrected promptly.

GDPR Guide Q3-min

4. Can you remove all personal data that's no longer required?

GDPR_20Guide_20Q4-min_20_1Keeping data accurate also includes removing any data that is no longer required. Having the ‘right to be forgotten’ is now a common and accepted practice which GDPR has brought into law.

Therefore, do you have processes in place to make sure any records you no longer need are securely disposed of? This is tricky to be certain of if there is no centralised database of personal information.

5. Can you prove consent to use the data you hold?

The introduction of GDPR set a high standard for consent; it’s important to be transparent about the data you hold and how you’re using it.

Employee data can be retained and processed on the basis that it is necessary under their employee contract, for example holding someone’s National Insurance number or right to work in the UK documents.

However, GDPR strengthens the conditions for consent, meaning permission that was obtained as part of the terms and conditions of older employment contracts may no longer be enough.

Explicit consent may need to be given by employees for the retention and processing of sensitive personal data so it’s important to assess this and make sure you can prove you have gained sufficient consent. Since GDPR was introduced, employees have the right to withdraw consent at any time.

GDPR Guide Q5-min

 

Additional GDPR resources


Further resources on GDPR

GDPR_20Guide_20additional_20resources-min_ccIn June 2019, we co-hosted a webinar with the team from hr inspire – a leading HR consultancy firm - in which we discussed GDPR and SARs, exploring the legislation and the practical steps businesses can take to achieve compliance. The webinar was provided for charities, however, it’s equally applicable to businesses and is available via this link.

The ICO published numerous up-to-date resources about GDPR and SARs. Click here to visit their website.

Next steps


Next steps

If you’re not already using an HR software system like Breathe and are considering doing so, we recommend the following three steps.

  1. Security first
    If you’re thinking about cloud-based software, ask a provider to prove that your employee data is safe in their hosting facilities. Look for ISO 27001 as the benchmark of high security.
  2. Try before you buy
    Look for software that you and your team can try before you commit to buying.
  3. Support and training
    Some software companies charge extra for support and training and this can add up. Some offer training and support as part of monthly or yearly subscription plans. Be sure to talk to software providers about this.

Stay GDPR compliant
with Breathe

"As a manager I love the fact that everything I need is all in one place - absence records, leave requests, staff contact details, policies, and procedures - the list is endless. We also appreciate the support and training received from the Breathe team. I wouldn’t be without it!”

Start your free 14-day trial
Smiley Lady with cloud@2x (1)

Sign up to get the latest HR and people management insights straight to your inbox