Everywhere you look, you can’t miss the initials GDPR. Social media is full of discussions, I could spend all day every day attending “GDPR Training Course” “GDPR seminars” and then buy lots of compliance guides and products. After all – if I don’t comply the Information Commissioner is going to come in and fine me £20m.
Consequently, businesses are being sent into panic mode, running around trying to deal with misleading advice “You have to do X” “You can’t do that anymore…”
Just in case you have been in a cave somewhere, GDPR stands for the “General Data Protection Regulation” and is a major EU update to Data Protection laws. When it comes into force in the UK, in 6 weeks’ time, it will be known as the Data Protection Act 2018 and will replace the 1998 Act.
If you currently comply with Data Protection legislation, then the new Act simply requires you to tweak a few procedures and approaches. For most small businesses, it won’t require radical reform of your systems.
Most employment data is held for either a legal reason (e.g. proof of eligibility to work in the UK) or for a legitimate business reason (e.g. bank details held to pay people). People don’t need to give consent for you to hold this.
The major changes from an employment perspective are that:
· If an individual requests a copy of their data, you can no longer charge for this and have to respond faster (30 days rather than 40)
· You must tell employees if any of their data is passed to a third party (e.g. a payroll bureau) or outside the EU (for example, if you are part of a larger organisation)
· You must also tell people if you use automated systems to make decisions (for example if you shortlist candidates for a job using software)
· You must only use data for the purpose it is supplied for (e.g. you can’t hang on to a CV for an unsuccessful job candidate on the off chance that they might be suitable for a different vacancy)
You should also have very clear rules about how long you retain individual data for after an employee has left (although you should have these already!)
This isn’t to say that some types of business in certain sectors, particularly those that directly market to individuals, won’t have a great deal to do (which is why you will find that you are suddenly be asked to confirm if you still want to receive those marketing emails that you hadn’t realised you’d signed up for). And of course, if you weren’t following the current data protection legislation then you may suddenly need to get you house in order. But for most smaller businesses, the advice is
Generally, Don’t Panic, Review!