Recent research by the Federation for Small Businesses (FSB) has found that one-third of the UK’s small businesses are unprepared for the GDPR deadline of 25th May 2018, and a further 35 per cent have failed to start preparations.
It’s a worrying statistic, especially with fines of €20 million or 4 per cent of your global annual turnover (whichever is higher) applying to business that don’t comply.
With that in mind, KashFlow HR have produced the following guide to help you check your small business’s HR function is compliant. We’ve also included some tips on what you need to do before 25th May to make sure you’re not at risk of the high fines.
Make sure you’ve got employee’s consent
GDPR clearly states that you need “specific, informed and unambiguous” consent to hold data on employees. This likely means any proof of consent you currently have will need rewriting to ensure it clearly states what data is being collected and why.
This may also be reflected in contracts, as the standard consent clauses many currently use may not be specific enough. It’s therefore worth keeping in mind that you may have to provide new contracts to everyone and get a process in place for this.
You also need to provide an easy opportunity for employees to withdraw their consent at any point. For this, you’ll need a system that’s easy to update and edit, like HR software.
> See also: The Small Business guide to HR
You can’t keep data forever
The GDPR state that you should only hold on to data for as long as is necessary. So if you’re still keeping the contact details of a temporary employee who left years ago, you’ll need to sort through your records. This will include the data and CVs of candidates you didn’t end up hiring and employees that’ve left your company.
If you want to keep their data – just in case you want to rehire them one day, for example – then you’ll need their specific consent. Again, look at HR software or other management systems if your current setup doesn’t allow you to recall and permanently delete data.
You can only use data for its intended purpose
As mentioned above, you have to tell employees what you’ll be using their data for. You can process data if it’s compliant with the original reason for collection – for example, if you keep a contractor’s contact details with the intention of contacting them about future work opportunities.
To ensure you’re compliant, you’ll have to confirm they’re happy for you to continue holding their data.
You have to make everyone aware of a data breach
When GDPR comes into effect, you’ll legally have to tell anyone affected by a data breach within 72 hours of you first becoming aware of it.
This is to encourage companies to take data security more seriously and do more to protect themselves against cyber-attacks and hacking, which leads us on to the next point…
You’ll need to encrypt your data
To ensure your HR function is GDPR-compliant, you’ll need to make sure all data is handled correctly. This is central to GDPR compliance, so it’s essential you take all necessary steps to make sure your data is secure.
One of the most effective ways to do this is to encrypt your data. To meet regulations, you’ll have to encrypt data not only when it’s stored, but also during transmission (such as emails).
There are other ways to improve the security of your data, such as limiting the number of people who have access to employee and personal data, and using forms of authentication to verify whoever is accessing the data.
You may not have as much access to employee data
Up until now, you may have been able to collect data like driving licence numbers and marital status from your employees and job candidates. But unless this is directly related to the role or management of your employee, you won’t be able to collect or store this data under the GDPR.
It’s therefore good practice to ask yourself whether you need the data you have on each employee in an overarching information audit.
In a similar vein, routine/basic DBS (Disclosure and Barring Service) checks are unlikely to be permitted under the GDPR. It has been noted that Standard or Enhanced DBS checks would still be possible, however.
You have to offer transparency at every stage
To be GDPR-compliant, you need to tell employees what personal data you’re processing, why it’s being processed and where it’s being held. You’ll also need to provide a free copy of all data you hold when requested. One way to do this without creating extra work for yourself is to introduce a secure self-service system through which employees can access and (if needed) amend their personal data.
Depending on your current status, you may have to prepare for an overhaul of your employee data systems. At the very least, you should conduct a full audit of your employee data and make sure it’s meeting all compliancy points.
During your audit, you should pay particular attention to the security of your system and data management as this really is a crucial element of the GDPR.
If you find anything lacking, or you’re unsure of whether you’re compliant, make the necessary changes and investigations. The Information Commissioner’s Office also offer a great source of info on GDPR.
Depending on the size of your business, you may have to appoint someone to oversee your compliance with these reforms. You may also have to offer training to anyone who’ll be dealing with employee data, to ensure they’re aware of what it takes to be compliant.
And at every stage of this process, you should also make a documented note of how you comply with GDPR – as you may be asked to prove this or risk fines.