Data Protection

You may have heard of GDPR, you may even have pencilled it in your diary but do you know what it really means for your business? Or what you need to do? Data protection rules are changing and even if you’re a small business you need to be prepared for them and make sure you’re compliant. However, much of GDPR is already covered under current data protection rules so as long as you have been compliant up until now then the changes you need to make will be relatively minor. 

If you have employees you will inevitably hold plenty of personal data on them – addresses, references, service records, appraisals and so on. Right from the moment you recruit someone you could be handling data and HR software can help you manage this. For example, if you ask a candidate to send in a CV or complete an application, that counts as collecting data and you are subject to the Data Protection Act. The Act doesn’t stop you collecting information but rather helps keep a balance between the data you need to collect as an employer and the employee’s right to a private life.

Personal information on employees should be kept securely and only used for the purpose it is collected e.g. the recruitment process, monitoring performance etc. You also have a duty to not share their information with another organisation without their consent and you shouldn’t keep information that isn’t relative, out-of-date or excessive.

The mere mention of GDPR (or the General Data Protection Regulation to give it its full name) can strike fear into the hearts of many small business owners and managers. But GDPR, which comes into force on May 25, 2018, isn’t complicated. 

GDPR is a regulation that is being introduced by the European Union to strengthen the laws surrounding data protection and storage. The UK government has already decided to adopt the legislation regardless of Brexit. 

Data storage and management have changed dramatically since the last data protection laws came into force in 1998. Back then, the internet was in its infancy, cloud-based services didn’t exist, and much employee data was stored in manila folders in grey filing cabinets. GDPR will bring the law up to date and more in alignment with current technological changes.

GDPR will introduce much tougher fines (up to €20 million or 4% of annual turnover) in the event of a serious data breach or non-compliance. It will also give people a much greater say over what data is stored on them and how organisations use it. It also harmonises data protection throughout EU member states and applies not just to EU companies but to any company doing business in the EU, even if they’re based outside the EU.

In addition, GDPR introduces mandatory reporting of any breaches within 72 hours to the data protection authority.

What is it and how will it affect employers?

You may well already have data protection or privacy policy but under GDPR you’ll have to make sure it is more detailed and contains certain information:

• How long data will be stored.
• If the data will be transferred out to another country.
• Information on the right to make a subject access request.
• Information on the right to have personal data erased.

Currently, it is assumed the employee gives consent for his or her data to be stored but it’s a state of affairs that has come under growing criticism for not being fair because of the inherent imbalance in the employer/employee relationship. Under GDPR, there will be tougher and more specific rules on gaining consent and an employee can withdraw consent at any time.

Find out more about GDPR and subject access requests in our dedicated guide here

The UK Data Protection Act 1998 was introduced to control the way information is handled and stored and was the result of a European directive on data protection. It introduced the eight data protection principles which businesses adhere to today.

The act also gave individuals such as customers or employees the right to request access to the information held on them and to have factual errors in that information corrected. The act also protects people against data being used improperly or for direct marketing purposes. 

What is the Data Protection Act 1998 and what does it mean for employers?

Ever since it was introduced it has meant employers need to be careful about what data they collect and store on their staff as well as how that information is used. Your employees also have a legal right to access the information you hold on them.

As an employer, you can keep certain information about your staff including their name, address, date of birth, sex, education and work history, tax code and NI number, any disability details and emergency contacts.

You can also keep information on their employment history with you, terms and conditions, any training, accidents and disciplinary action. 

If your employee asks you what information you hold on them, then currently, the employer has 40 days to supply it to them. 

Eight principles of the DPA

The original Data Protection Act introduced eight principles for data protection which you have to adhere to:

• Fairly and lawfully processed – You should have legitimate grounds for collecting the data and be transparent as to why you need to collect it. You need to handle data lawfully and only use it in ways that could be reasonably expected.
• Processed for limited purposes – This requires you to be open about the reasons you collect the data and that what you do with that information is in line with the reasonable expectations of the person you are collecting it from.
• Adequate, relevant and not excessive - You should only collect data that is reasonable for the purpose you’re collecting it for.
• Accurate and up to date – You must take reasonable steps to ensure the data you collect is accurate, consider any challenges to the accuracy of the information and also consider whether the information needs updating.
• Not kept longer than necessary – The act doesn’t specify a maximum or minimum amount of time you can keep data but you should review the length of time you keep personal data, consider the purposes for which you collected it when deciding whether or not to retain it or securely delete information no longer required for those purposes.
• Processed in accordance with the individual's rights – Your employees have a right to access the data you keep on them and a right to object to any processing that is likely to cause distress or damage. In certain situations, they have a right to have inaccurate data removed or corrected and they can claim compensation under the Act for any breaches.
• Secure – Your employee data must be held securely. Only staff with appropriate training should be able to see staff records and sensitive data such as health and financial should be stored separately. You must also take steps to ensure your data can’t be accessed by an outside force e.g. hackers.
• Not transferred to countries outside the European Economic area, unless there is adequate protection – You cannot move data to a non-EEA country without first making sure it is secure.

GDPR tightens the rules around a SAR but you can still make sure you stay on the right side of the law.

You should have a procedure in place for complying with the reduced timescale. You should also create a policy for identifying a SAR and how it is dealt with. Include this in your terms and conditions or employee handbook so it is clear what procedure should be followed from the outset.

If you appoint a member of staff to manage your data protection and any SAR, you need to make sure you have a back-up in place in case they are away from the office – remember you will only have a month to respond.

Appoint a data protection officer

Under GDPR you must appoint a data protection officer (DPO) if: 

• You’re a public body
• Carry out large-scale or systematic monitoring of individuals
• Carry out large scale monitoring of specific categories or data relating to criminal convictions and offences.

However, any organisation can appoint a DPO whether or not they are obliged to and it is encouraged as good practice to have someone assigned to the role. It can be an existing employee, provided their DPO role doesn’t conflict with existing duties or you can appoint someone into a standalone role depending on the size of your organisation.

If you do appoint someone, however, even if you don’t need to, you will then be obliged to comply with the legal requirements of GDPR.

If you decide to appoint an officer, they must:

• Be located in the EU
• Have expert knowledge of data protection law and be able to carry out the tasks as set out in GDPR
• Have experience commensurate with the sensitivity, complexity and amount of data they process.
• They must be sufficiently senior in your organisation but also be able to carry out their duties independently and not be directed by senior management.
• Your organisation remains responsible for data protection not the DPO.

Complete a data audit

It’s good practice to review regularly what information you hold on your employees and what data you work with in general. 

• Establish what you have – List all the different types of data assets you have such as CRM software or HR software. Include both computer and paper files you keep on your employees.
• Make sure you know where it all is – Once you have worked out exactly what you have you need to make sure you know where it all is and how it is accessed. If you’re using HR software for example, who has access to this, how is data inputted and could there be any data that isn’t yet stored on it such as on another employee’s email when they’re looking for potential recruits?
• Talk to your team - To find out exactly where and how your data is processed and stored you’ll need to speak to the key players in your organisation. Obviously, the fewer people there are the easier this will be.
• Track - Track how the data is being used – is there data you are storing unnecessarily? Is there data that needs to be deleted? 

Review how data is collected and used 

It is important to keep track of how your data is collected and used – do you have a paper-based system organised in a filing cabinet for your employee personnel files? Are you using manual employee electronic records such as word documents or spreadsheets or have you moved to HR software which often allow employee self-service? Do you store this data on a local internal system or do you rely on cloud-base services?

Make sure the data you collect is relevant to your business. For example, storing records about employees’ work history is a legitimate use of data but storing information about what they like to eat and their favourite colour could be classed as unnecessary unless you can prove it is relevant to your business.

Also, make sure you know what processes are being used, how the data is handled, that it is handled securely and review your policies regularly.

Take steps to prepare for GDPR

If you’ve already been compliant with data protection, then it should be straightforward make sure you’re compliant with GDPR.

• Carry out a data audit. Assess your current HR data and identify any gaps with the GDPR.

• Make sure you have a procedure in place for asking for employee consent to collect data. Asking once used to be enough to continue to collect data but now you’ll need to get their permission each time you use or collect data for different things.
• Under GDPR, individuals will also be able to withdraw their consent and have the right to have their data erased. Where consent is relied upon for collecting data you may need to look at using other legal grounds instead to continue to process employee personal data. 

• Revise your employee data protection policy and make sure you have an up to date privacy notice which details what information is collected, why, how it is stored and for how long. 

• Consider appointing a data protection officer or giving someone within your organisation the responsibility for data protection. Task them with advising on GDPR, monitoring compliance and liaising with the data protection authorities.

• Determine a data breach policy to ensure prompt notification if a breach does occur. Consider training employees to recognise breaches and have a plan in place for what they should do if it happens.