In addition to helping local people with their legal issues, we also help many small to medium businesses with everything from debt recovery and pension rights, to health and safety issues and employment law.
Unless you have been hiding under a rather large rock for the last 18 months, you will be aware of one very significant piece of legislation that will affect all businesses, and not simply from a marketing perspective.
The upcoming General Data Protection Regulations will affect all businesses with employees, regardless of any external marketing they do.
We spoke to local HR expert Louise Tupman from Totally HR, about GDPR and asked her what the regulations mean for employers from an HR perspective…
The new General Data Protection Regulations (GDPR) come into force on 25th May 2018 – Are you ready?
Six Steps to ensuring your HR is GDPR compliant
The new GDPR regulations replace the current Data Protection Act 1998 and places more emphasis on being accountable and transparent about your reasons for processing employee data.
The most significant change is the increased sanctions for breaches – something that is a major source of concern for businesses, particularly smaller ones.
Breaches of the GDPR could result in fines of up to €20M, or 4% of global annual turnover, whichever is the greater.
UK businesses must be able to demonstrate their compliance to the Information Commissioners Office (ICO), the regulatory body for data protection laws in the UK, on an ongoing basis, maintain records and ensure that individuals (including employees) can exercise their significantly increased rights to access their personal data.
Audit all of the personal information you hold on your employees
You must go through all of the data you hold on your employees and identify the lawful basis for retention, where data is held and how long it is being held for.
Employee Contracts & Consent
You will not need to change existing contracts, however, you will need to obtain separate consent not related to the acceptance of employment and new contracts going forward will need to be updated to reflect the new regulations.
Notify your employees
You need to inform them that the law on data protection is changing and what this means for them.
Managing Personal Data going forward
It is recommended that you consider appointing a Data Protection Officer (DPO) or Privacy Officer to manage GDPR compliance going forward. You may also have to maintain a Data Register of your data to remain compliant. If you also use a third party, such as a payroll providers, external HR resource providers or recruitment agency to process employee data, you will also be responsible for ensuring the third party is GDPR compliant.
Subject Access Requests (SARs)
The new regulations give employees the right to request access to their information. Employers need to be prepared for how to handle such requests in a timely manner and be aware of SARs being used to obtain information which may be useful tribunal claims.
Organisations will be required to report data breaches to the ICO in all but the most trivial cases, unlike the current approach. Employers may also be required to inform data subjects affected by the breach.
Working alongside other local specialists such as Totally HR is really important to us, as it ensures you get the right advice for you and your business.