01423 206909

Top 4 ways to comply with GDPR for your people data – Guest blog from Paul Strout

Protecting your employee data and GDPR

We know that GDPR is complex legislation and it can be an area that causes business owners a great deal of stress when it comes to compliance and keeping their employee data safe and up to date.

So we asked Paul Strout from GDPR Assist to share his expertise and thoughts on the top 4 things for business owners to consider.

GDPR is still here

GDPR hasn’t gone away. We may no longer be a member state of the EU, however, GDPR is implemented in the UK and enshrined in UK law via the Data Protection Act 2018.

Strictly speaking, we now refer to “UK GDPR” as there are a few differences but the core elements remain the same.

So, what should businesses be doing to comply with UK GDPR when it comes to their employee data?

This isn’t exhaustive advice, however, I would prioritise the following tasks:

Employee Privacy Notice

If you haven’t drawn one up and are relying on a supplied standardised document then it probably isn’t fit for purpose.

It should be:

  • Written in plain English,

  • Include the information required by UK GDPR Article 13,

  • Specific (so avoid the use of “may”, “might”, “including” etc – say instead what you will and will not do),

  • Accurately describe the data you process and how you process it, where it is stored, what third parties the data are shared with, how people can invoke their rights, how they can lodge a complaint, whether any data are transferred out of the UK and how they are then protected, how its security is assured etc. (you can see from this that a standard document won’t work – it needs to describe what YOU do),

  • A Notice not a “Policy” – its job is to inform, not compel

  • Not included in the Staff Handbook. Handbooks can be interpreted as part of the contract of employment, and a Privacy Notice is NOT a contract,

Record of Processing Activities (ROPA)

All organisations processing personal data are required to maintain a ROPA that complies with UK GDPR Article 30. The UK regulator, the Information Commissioner’s Office (ICO), helpfully created an Excel-based template to use.

For small organisations (< 250 staff) then you only need to document your core processing activities – which will definitely include your HR processing. The template also helpfully shows an example of HR-related data.

Appropriate Policy Documents

Where you are processing special category data (e.g. data related to health, beliefs, trade union membership, biometrics or sexuality) for the purposes of employment then you must also complete an Appropriate Policy Document (APD) to comply with the specific provisions of the Data Protection Act 2018 Schedule 1.

For example, this would include an APD to describe your processing of sickness records or the processing of health data to make reasonable adjustments. The ICO produced a helpful APD template.

Other considerations

Some other points which are worth considering:

  • Do you have documented processes in place which describe how staff should deal with Data Subject Access Requests and Data Breaches?

  • How are you raising the awareness of UK GDPR amongst your staff? (top tip: a good training session on UK GDPR really helps improve compliance by enabling staff to ask questions and spot problems)

  • Is your IT provider helping you review and maintain IT security?

Helpful Resources

The ICO website contains a wealth of information, guidance and examples and is a valuable source of information, you can also contact their helpline for specific advice. I would also recommend that you have a copy of the excellent “GDPR for Dummies” by S. Dibble on your bookshelf (it’s available on Amazon). And lastly, if you need some tailored support then please do contact me, Paul, at GDPR Assist UK Ltd.

About Paul

Paul Strout is the Managing Director of GDPR Assist UK Ltd – a Manchester-based consultancy providing advice on UK data protection matters to SMEs.

Paul says that two of the most common questions he is asked are: “Is GDPR still a thing now that we’re no longer in the EU?”, and “What’s the risk of getting it wrong, or just doing nothing?”.

GDPR is EU legislation, however, it was written into UK law as part of the Data Protection Act 2018. It has since been amended to remove references to EU bodies and replace them with UK references – but apart from that, it is essentially unchanged. So GDPR is still a “thing” post-Brexit, but more properly called “UK GDPR”.

There was plenty of noise around fines under GDPR. These can be significant however there have been only a very small number, so the primary risk isn’t one of sanction from the regulator (the Information Commissioner’s Office).

The primary risk is one of lost opportunity: every organisation is obliged to undertake some due diligence checks on its partners, to ensure that their data processing activities don’t add risks to the individuals concerned. If a business evaluates a potential supplier and finds them wanting, then the risk is the business will go elsewhere. The same applies to consumers looking at your online shop. There is also an increasing risk of civil action from individuals whose rights have been infringed.

There are benefits from taking GDPR seriously; from understanding and meeting your GDPR obligations and being able to demonstrate to people that you are deserving of the trust, they place in you. Build trust, build loyalty, build a competitive edge.