How to become GDPR compliant before 25 May 201
You may have heard about GDPR (General Data Protection Regulations) coming into force in May this year, but maybe you are unsure about what these new rules for processing data mean for you and your employees. Perhaps you hold your employee data in multiple sources, across numerous sites and in different formats, leaving you feeling overwhelmed and struggling to figure out how or where to start. Either way, you need to become GDPR compliant by 25th May 2018 – no exceptions. This means putting in place your policies and procedures on how you process your employee data right now. However, GDPR doesn’t have to be as complicated and as time-consuming as one might initially expect – in fact, the implementation of GDPR brings on new positive outcomes, like decluttering your existing data and building trust and loyalty with your employees. Simplify ER is here to break down the most important points of GDPR and how you can start becoming compliant now.
GDPR applies to all organisations, large and small.
What are the sanctions if you are not GDPR compliant by 25th May 2018?The laws surrounding how you process data have been dramatically tightened into expensive penalties, with fines of up to €20 million (£17 million) or 4% of global annual turnover (whichever is higher). However, if you follow the points below and you obtain legal advice from Simplify ER to make sure you are implementing these points correctly, you can avoid these penalties and ensure that your data is processed legally and fairly by the time GDPR comes into force.
So, let’s start with what ‘Data’ means first.
What does ‘Personal Data’ mean?The GDPR now puts the emphasis on you being accountable as the employer for processing personal data, which means any personal information that can directly or indirectly identify your employee as an individual. You now need to show that you are complying with the GDPR rules through your policies, processes, employee training and extensive record-keeping of all your data processing activities. And, this process needs to be ongoing.
GDPR means no more insecure, unlocked file cabinets or open emails that show employees’ personal details, which can be identified by others.
What does ‘Data Processing’ mean?Data processing means anything, anything at all that is related to you collecting, storing, using, and even deleting your employee’s data. Furthermore, information on your data processing activities needs to be provided to your employee, who has the right to know how and why you collect and process their data in the way that you do. And now, under the GDPR, they have the right to withdraw their consent to you doing so at ANY time, which means the data you hold for them must be obliterated, destroyed or anonymised.
So, what does this all mean for my business?Essentially, you can process your employee’s personal data if you can show that you have justified one of the several grounds for processing if consent cannot be obtained from the employee. These include:
- Relying on a legal or contractual obligation to process your employee’s personal data where you would not require approval or consent. For example, holding your employee’s bank (and other relevant) details, so that you can pay them their salary every month after they perform their role under the employment contract. Paying their salary also involves communicating with the HMRC in relation to their tax and national insurance contributions. Therefore, your employee’s bank details are required for this kind of data processing.
- It is necessary for you to process your employee’s personal data, for the performance of their employment contract. Without this data, there is no contract and there can be no employment relationship.
- Third-party relationships – you need data fed back and forth to recruitment agencies, which is necessary to interview and assess job applicants required for a new employment relationship.
If you are processing your employee data for its specific purpose, legally and fairly, and you are transparent with your dealings, i.e. you are clear and honest with your employee always about what you do with the data you hold on them, then you should be able to successfully avoid a GDPR claim. Remember the data that you process on your employee should only be used for its specific and primary purpose. You can do this by minimising or reducing the data you process as much as possible – don’t just hold onto data because it is ‘nice to have’.
The less data you hold, the safer you are from the perspective of GDPR
What should I do now to prepare for GDPR?The first thing to do is to try and not overwhelm yourself by doing everything at once. Here are some tips on how to start preparing for GDPR now:
- Identify and locate what and where your employee/candidate data is in your business and make a map of how it is gathered, processed and stored. Have you carried out an audit yet? Is your data accurate and up-to-date?
- Get a team together, whether that be just yourself and your PA or your HR, IT, Finance and Marketing team. Everyone needs to be on the same page when it comes to complying with GDPR.
- Start documenting your definitions of personal data and train your staff on how to identify where this data is and how they should start processing it from now on.
- Identify any security issues or vulnerabilities in your data, i.e. insecure email, public spreadsheets etc
- Ensure your security system is foolproof across the whole board going forward – this may mean using new software and programs to ensure that your systems are GDPR compliant
- Check desks and public areas for any personal data on desks, bins and drawers. You can no longer just have personal data lying about!
- Ensure your employment contracts and your privacy notices now make clear how your employee’s data will be used – and that this data is only used for legitimate purposes
- Your privacy notices will need to state you as the ‘data controller’, the purpose of processing the data, how long you will store the information, the legal basis for processing, the countries or organisations that you may transfer the data to and the level of protection you will be affording the employee (the security systems that you have in place). These privacy notices need to be provided to candidates before they apply for a job – for example in an online application form. For new employees, the privacy notice can be provided alongside the staff handbook and other policies.
Finding the time to project manage your data may become an ongoing challenge, but it is important to get this stage right first before you then understand how you can become GDPR compliant.
Simplify ER can support you every step of the way, by reviewing your systems, policies, and procedures and ensuring you avoid those harsh penalties for breaching your employee’s personal data.
Contact Simplify ER now on 020 3011 0448 or email firstname.lastname@example.org so we can discuss your next steps now.