Are you switched on for GDPR?

Jun 24, 2018 | Insights, News

Written by: Jonna Mundy Photography by: Caroline Allington

Most of you reading this article will know that ‘G-Day’, as the You HR Team call it, is the 25th May 2018 but many organisations are still not recognising the impact of what the regulations mean for them as an Employer.

According to a recent survey undertaken by the Federation of Small Businesses (FSB), a staggering 47% of the UK’s office workers do not know whether their employer is taking action to comply with GDPR… are you one of them?

Any business that handles personal data needs to identify ‘WHAT’ data is collected; ‘HOW’ such data is used; ‘WHERE’ it is securely stored (and deleted) and ‘WHY’ it is actually needed, with the Regulation putting more of an emphasis on ‘WHO’ – i.e. the data subject – needs to be aware of the what, how, where and why!

The Regulation distinguishes two main types of data being ‘personal data’ and ‘sensitive personal data’ (known as special categories of data under GDPR). If you hold or process either type of data, then GDPR will apply to your business. Let’s face it – that’s all of us!

Although GDPR is being introduced by the European Union, the UK government has announced that they will enforce similar rules after Brexit and there will be significant consequences of non-compliance (a percentage of turnover or a penalty fine of up to £17.5M, whichever is the greater value.)

So it’s inevitable that GDPR affects us all, and affects us all from an HR perspective too. Whether you employ staff or engage non-employed workers through other means, personal data will form part of this relationship (even records you hold from recruitment activity) and obtaining consent must be freely given by the individual – they must be specifically informed in unambiguous terms.

You also need to rethink how you approach data retention; how long it is needed and how your systems, processes and policies can be adapted to help control your data needs, train and inform staff, and drive regular cleansing of unneeded or excess data. There will be eight rights an individual will have under the Regulation that will need to be exercised through your organisation’s practices. This will inevitably mean change, to whatever lesser or greater extent for you, so without a doubt change is afoot for you and your organisational culture around the way your business behaves and complies with regards to personal/sensitive data.

Personal data breaches will need to be reported to the supervisory authority, The Information Commissioners Office (ICO), within 72 hours, where feasible or ‘without undue delay,’ especially if the breach is likely to result in a risk to the rights and freedoms of individuals impacted by the breach – your systems and processes need to be able to handle this eventuality. With Proband recently reporting that 52% of staff access their work emails on unsecured personal devices, how confident are you of the data flows incoming and outgoing in your organisation, to mitigate any potential risk of a breach in personal data?

With GDPR in mind, You HR Consultancy Limited are keen to practice what they preach, so two of their lead HR Advisers, Nichola Kirk and Kairan Knight, have taken on the mantle of Data Protection Officers for the business and are paving the way for best practice in compliance.

The You HR Consultancy Team take great pride in their work and whilst we all know them for their refreshing and vibrant style in demonstrating how HR can be fun (don’t mention they do the pink and fluffy stuff, they really don’t like it!), they lead by example in demonstrating how the difficult can be done!

Nichola Kirk recently led a flawless full employment inspection of a client by HMRC and the response received was outstanding, not least from the Inspector himself. To quote from a letter from the ‘Man from the Ministry’ (HMRC!):

“I refer to our meeting on 19 March 2018 and would like to express my sincere thanks to Nichola, for the assistance and courtesy you afforded me on the day…. I can confirm that I have no further enquiries in relation to this review and I will now take the necessary steps to finalise my records. Finally, may I take this opportunity to thank you for your co-operation during the course of this review.”

This result was achieved through a relentless focus on ensuring the client was compliant in their practice of employment (employees and non-employed workers), the management of records & data and including compliance around aspects such as the dreaded IR35!

When the You HR Consultancy team take on a new Retained client, their first step is to undertake a comprehensive HR Health Check, the results of which are reported back to the client with a suggested plan of prioritised action, demonstrating how issues, risks and areas of good practice can be addressed; not just in regards to legislative compliance from an HR Transactional perspective, but also regarding learning and development, any future proposed change, and not forgetting workplace wellbeing (last by no means least… but still not pink and fluffy!)

The You HR Tree of People Growth identifies how we can all take a leaf from the tree and look at what might need focus in our organisations… after all, as the strapline says “It’s all about the people”. The passion for people doesn’t stop there… You HR Consultancy Limited only works with Small to Medium Enterprises (SMEs) and the Not for Profit (NfP) sector, with an ethos of achieving a purpose, not just making a profit. With our newly launched You HR Academy that can house clients bespoke learning and development online, our success rate of achieving efficiencies for clients is second to none.

We live and breathe our business values and operate with integrity, honesty and transparency… thinking outside of the box to find the right solution for You. Reputation is everything and we are proud to have a 100% success rate with every client who has engaged our services. We always listen and demonstrate that we understand by producing a clear scope of work. We then take action by delivering HR and OD services and achieve outstanding, sustainable results.

Business is all about the people… let us help you get the very best out of yours.

You HR’s 10 point checklist to assist you with your GDPR prep:

1. Undertake a Data Protection Impact Assessment: (DPIA) which will determine what needs to change in your systems, processes, policies and procedures

2. Roles & Responsibilities: need to be clearly defined within your organisation. Appoint a Data Protection Officer (where appropriate), confirm your Data Controllers and Processors

3. Awareness: Make sure everyone who has any involvement in handling/processing data knows their responsibilities and the potential consequences of data breaches

4. Map your Data flows: You need to clearly map out all the incoming and outgoing flows of your data, how it’s processed and the legitimate lawful reasons for doing so

5. Training: Provide those involved with necessary training and support to undertake their roles, this will include awareness training for all your staff (employed and non-employed)

6. Make the Change Happen! Have a robust plan that clearly sets out all your actions and keep a record/audit of all you are doing (should the ICO come knocking!) to demonstrate your compliance.

7. Security: Ensure your systems and procedures are secure (this applies to hard-copy as well as electronic)

8. Rights: Be sure to clearly inform your Data Subjects clearly and concisely about their ‘Rights’ and update privacy notices

9. Obtain consent and assurance: freely, specifically and unambiguously from your data subjects; and include those that control and process your organisations personal data

10. Privacy by Design: Moving forward, ensure that data protection becomes part of your organisation’s approach in future practice and the work you develop

