GDPR has to be among the hottest of topics at the moment. While there is plenty of information available exploring how the legislation will affect your marketing data, the staff and HR information you hold is discussed far less often. So we asked Lauren Baker, from Core Finance Management, to give us an introduction to what else you need to consider.
The new General Data Protection Regulation (GDPR) will hit our shores on 25th May 2018 and is coming around quickly. GDPR aims to harmonise data protection across the EU and take full control of our ever-changing technology landscape. But what is it and what does it mean to your business?
Firstly, this significant change to data protection laws will bring about some potentially confusing new terminology, here a few examples of what they mean.
Data Protection Officer (DPO) – You may have been told your business now requires a Data Protection Officer, these people are responsible for overseeing data protection strategy for your business and implementing any changes to ensure compliance. It is mandatory for your business to employ a DPO when your organisation is a public body; when the data processed is on a large scale, or your business is involved in the large-scale processing of sensitive data such as health, religion, race, criminal conviction and offences.
Personal Data – This is any information relating to an identified natural person, for example, their name or address.
Sensitive Personal Data – This covers any information relating to an identified natural person which is subject to additional protections, for example, their National Insurance number or Passport number.
Once you have got your head around the new terminology, you should run through a ‘health check’ for your business. During this process look out for things like:
- How are you storing data?
- Is your Data Protection Policy, up to date?
- Do you need to appoint a Data Protection Officer?
- How quickly could you comply with an information request?
GDPR and your employees
Under new GDPR regulations, employees will have increased rights. The good news is that many of these are similar to the current legislation in the Data Protection Act. The difference with new GDPR rules are the increased penalties for breaches, and so it is now also important for your business to look at the way you are storing employee’s sensitive data.
Employees now have the right to be informed as to how their personal data will be used, and they also have the right to request access to information held about the—at any time. In certain circumstances employees will have the right to have their data removed entirely from your system and have the right to block you as a business from using their sensitive data.
To get GDPR ready, you could consider some online or face-to-face training for your staff. There are plenty of online courses offering an introduction to navigating GDPR safely.
The most important safety net for your business is likely to be your software. Having effective software that manages GDPR safely will save you from fines and penalties from GDPR enforcement officers. Which software provider is best for your business will depend on your industry, for example, Core Finance Management use Forest Payroll Software as it stores all our employee’s sensitive data securely and only allows access to specific users, while everything is password protected and isn’t shared with any third parties.
Then, in cases where you do need to share personal information with a third party, for example when using a payroll company, you will need to ensure all contracts are up to date and you have informed the employees that their sensitive data will be shared with the specific company.
Lastly, it is increasingly important that when you affiliate your business, you do so with compliant and responsible providers — not least of all to safeguard your business from any unnecessary fines.
Our advice would always be to be organised and be aware. Key decision makers within your business should familiarise themselves with GDPR. You should also review your current processes, look at your HR policies, your contracts and your privacy information. Be organised and document which personal data you hold on your systems and seek consent from your employees to hold this data. That way you are likely to avoid any unwanted data breaches.