Recent research has suggested that 39% of SMEs haven’t spent any time planning or preparing for the General Data Protection Regulation (GDPR) over the last year.
With the clock ticking down rapidly to May 25 when the rules come into force, if you’re one of the small businesses that haven’t planned for GDPR, you need to prepare for its consequences right now.
The GDPR marks the start of a radical new data protection landscape, with significant penalties if your business doesn’t comply, so here are 9 key points small employers need to watch out for.
GDPR will mean employers need to rethink how personal data is collected, used and kept.
Employers will need to allocate sufficient resources to ensuring compliance with the GDPR, considering the size of their organisation, the types and volumes of data it processes and the level of risk – there is no “one-size-fits-all” solution.
It is imperative organisations understand the implications of GDPR from an employment perspective, or they risk fines of up to €20 million, or 4% of global annual turnover for the preceding financial year, whichever is greater.
It’s important for employers to take a realistic, risk-based approach to compliance and with the deadline looming they should focus on the most important and riskiest areas first. Here are 9 things employers need to know about GDPR;
1. GDPR affects small employers too
The GDPR will apply to organisations of all sizes, small employers are not exempt. However, not all organisations will be treated the same. Those that are not processing large amounts of data and are not involved in high risk processing won’t be expected to commit as many resources to GDPR compliance.
There are very limited exemptions in terms of record-keeping requirements for organisations with less than 250 employees (these do not apply to the processing of sensitive data) but all other requirements of GDPR apply.
2. Organisations need good reason to process personal data
The GDPR specifies the conditions under which it is acceptable to process data, and organisations need to be sure that at least one applies.
While having “consent” is one, the employer/employee relationship means it could be tricky to prove that consent has been freely given, so it is advisable to have at least one other.
Processing personal data is often essential to delivery of the employment contract – eg. paying the employee’s salary – so in many cases this will be sufficient.
Employers should also be aware that the GDPR will also apply to the processing of personal data of individuals who are not employees, for example contractors.
3. Individuals have the right to be forgotten
The GDPR sets down the rights of individuals to ask that their personal data be erased.
4. Employees have the right of access to data
The Data Protection Act 1998 already gives employees the right to make a subject access request in relation to their personal data, but under the GDPR these rights will be extended.
Fees for such data subject access requests will be removed and a shortened time frame put in place for employers to provide the information.
5. The GDPR will impact on the recruitment process
The GDPR will bring new protections for potential employees and, with it, new responsibilities for recruiters.
For example, employers will need to formalise the reasons why data is processed and the period for which it will be retained, and provide this information to job applicants.
6. Criminal records checks
Under the GDPR, employers would be allowed to carry out criminal records checks on prospective employees only if this is specifically authorised by law, for example where a Disclosure and Barring Service check is required for a role involving work with vulnerable adults or children.
However, this is an area where the GDPR allows governments to set their own rules to some extent – and, under the proposed new UK data protection law, employers will be able to carry out criminal records checks in more circumstances, so this is an area to watch for developments.
7. Businesses may need to appoint a data protection officer
Where an organisation is a public body, its core activities involve large-scale data processing requiring regular monitoring of individuals, or it carries out large-scale processing of sensitive personal data or data relating to criminal convictions, it will need to appoint a data protection officer.
8. Employers will need to provide an “information notice”
A key requirement of the GDPR is that employees are informed about the processing of personal data and this must be formalised in an information notice (aka a “privacy” or “fair processing” notice).
The information provided needs to be significantly more detailed than that provided under the Data Protection Act 1998 and includes, among other things:
- The identity and contact details of the employer
- The purposes – and legal basis – for data processing
- Details of any transfer outside the EEA
- The period for which the data will be stored
- The right of access to data and to request its rectification or erasure
- The right to withdraw consent (when the legal basis for processing is consent)
- The source of the data (if not directly from the employee)
9. Non-compliance could be very costly
Compliance with the GDPR is not something to be taken lightly with fines as high as €20 million or 4% of the organisation’s global turnover – whichever is greater – for breaches.
With the deadline just around the corner employers can’t afford to wait any longer to prepare.
About the author
This guide has been written exclusively for ByteStart by Jo Stubbs of XpertHR. XpertHR has produced a guide providing an overview of the GDPR changes relevant to HR and the strategic considerations for organisations developing a compliance programme. The guide can be accessed here.
More help from ByteStart
ByteStart is packed with help on all aspects of starting and running your own successful business, some other popular guides include;
- A Guide to Employment Contracts for small businesses
- Why it’s vital you have clear ‘Terms & Conditions’ for your business
- A Small business guide to e-commerce regulations
- Health & Safety Plans for Startups – How to write one for your business
- What is employers liability insurance, and is my business legally required to have cover?
- Making a contractual job offer to a new employee
- Managing staff sickness absence – A Guide for small businesses
- Minimum Wage and statutory rates increases – April 2018
Funding your business
- Preparing to raise finance for your business – 6 Steps to success
- 5 Ways to unlock finance for your startup
- How to prepare your business for crowdfunding
- 6 Things you need to know before launching a crowdfunding campaign for your business
- Revolving Credit Facility – The short term funding solution every small business owner should know about
- What is Invoice Finance and how can it help my business?
- Use this 12-Step Action Plan to stop customers from paying you late
- A Guide to business credit cards and using them as a short term funding solution