GDPR: What is it and what the HR implications for small businesses with employees 

16th March 2018

It’s almost 20 years since the Data Protection Act was introduced! So, the EU leaders felt it’s time for a revamp and consequently have introduced the General Data Protection Regulations (known as GDPR), which comes into effect on 25th May 2018.

Here I’ll fill you in on what the GDPR is, the implications for you as a small business owner with employees, and some of the actions you should think about taking to make sure your HR practices are compliant with the new rules.

What is the GDPR?

In short, the GDPR is about placing more responsibility and accountability on all companies who collect and use ‘personal data’, and providing greater clarity and more rights to all of us, as individuals whose ‘personal data’ is being collected and used.

‘Personal data’ basically refers to any information that relates to an identifiable person.

The principles of data protection are that the data you hold on a person must be fairly and lawfully used, be relevant and limited to what is necessary, be accurate and kept up-to-date, be collected and used for legitimate reasons, only be held for as long as it’s necessary, and be maintained securely.

The new responsibilities of the GDPR also apply to you as an employer, regardless of how small your business is and how few people you might employ.

Why you should make compliance with the GDPR a priority

The consequences of breaching the new regulations will make your eyes water. The potential financial penalties at stake for a breach are huge; up to a possible €20 million or 4% of the company’s annual turnover, whichever is the greater amount.

There’s a new system to notify the data protection authority within 72 hours if there is a breach of data, regardless of whether the breach was intentional or accidental.

There are also new reporting requirements if you employ more than 250 people.

None of this is meant to scare you, but taking the GDPR seriously as an employer is really important.

New rights for employees

There are also increased rights for your employees.

Under the GDPR, employees will be able to request that you make legitimate amendments to the personal data you hold on them. Employees can also request to delete the personal data you hold on them. This is known as the ‘right to be forgotten’. You can decline the request where you have a justifiable reason.

For years employees have had the right to request access to information their employer holds on them. This is called a Subject Access Request. Under the GDPR, you can no longer charge a £10 admin fee to deal with a request, unless the employee makes excessive or repeated requests and in which case you can charge a ‘reasonable’ admin fee. Also, you will only have up to one month to respond, less time than the current 40 days’ timeframe.

Where to start

You will need to demonstrate that you’re being compliant with the new rules, so don’t delay in getting to grips with your responsibilities so that you’re ready for the 25th May.

Before you take any action though, the first thing I’d advise is to review the personal data you hold on your employees. Consider the following:

• What personal data do you hold?
• Have your employees given their express consent for you to collect and process that data?
• What method of gaining consent did you use?
• What is the purpose for holding that data?
• Do you still need to collect it going forward?
• Do you pass any of it on to third parties?
• Where it is stored?
• How long do you keep it?

Then once you know what you have, you should seek to prove you need it for a good reason and ensure you are doing everything you can to protect it e.g. password protect documents, lockable filing cabinets.

Taking some action

Here’s some of the HR considerations that will need your focus:

1. Updating your policies and staff handbook

You’ll need to update your internal privacy or data protection policy for staff. Make sure it states the importance of data protection, the new rules under the GDPR and the responsibilities on employees who handle personal data.

You should also have a privacy notice which includes detail about what personal data you hold on employees, the purpose you hold it, how you store it, whether you plan to transfer the data to another country, and your employees’ rights under the GDPR.

Both documents should be clearly worded, accessible and made available to all employees.

2. Updating your recruitment processes

Your privacy notice should also include information that relates to the personal data of job applicants. This should be on your website and be signposted to your job applicants as early as possible in the recruitment journey.

3. Updating employment contracts

Currently, most employers rely on their employees signed employment contract as consent for them to collect and use their employees’ personal data. You’ll no longer be able to rely on this.
Under the new regulations, employees mustn’t feel ’forced’ or ‘obligated’ into giving their consent. Consent must be ‘freely given, specific, informed and unambiguous’. So, take all mention of consent to process personal data out of the employment contract. You can still request consent, but have this as a separate form which includes your privacy notice.

However, an employee can decline to give their consent, or they can withdraw their consent at a later stage. So, another option is to base your processing of employee personal data on another legal basis, perhaps on a ‘legitimate interest’ of the business. This is a bit of a tricky one to get your head round so your approach here will need a sound understanding of the GDPR.

4. Training

Train all staff who handle personal data and ensure they understand the importance of data protection under the new regulations, and their role in helping to make sure the company stays compliant.

Depending on the size of your company, you might need to appoint a Data Protection Officer. If not, it’s still a good idea to allocate and train someone in your company with responsibility to deal with a compliance issue.

5. Leavers

Consider having a policy in place so that your employees know what data you will continue to hold on them when they leave your employment, the reasons you’ll be keeping it, and for how long.

I hope this provides some useful information to help you as you get cracking on making sure your company is compliant for the GDPR in May.

Back to blogs


Download this FREE guide which is designed to help you avoid making costly legal mistakes. Plus, you'll get my newsletters sent straight to your inbox (you can unsubscribe at any time)