Member Article

A date with new HR data laws

Responsible for the HR administration in your business? You’ve got a lot on your shoulders. Keeping track of data and ensuring its usable is a big challenge. Believe us, it only gets bigger the more your business grows! But forget how you use the data you hold for a minute, because we’re talking about your the duty to keep the information you hold about your staff safe.

Data security legislation is up there with Health and Safety, as some of the most hated and ignored aspects of employing people by SMEs. However, you won’t be able to cast a blind eye to it when the new General Data Protection Regulations come into force in May 2018. You may have under two years to prepare, but prepare you must. The fines for non-compliance can be as high as 4% of your annual turnover for a fundamental breach. Now we’ve got your attention!

Although these new regulations are EU-based, they will be in place before Brexit and it’s unlikely they’ll be lightened. Data security issues are only likely to become more serious, so the UK government won’t be taking its foot off the pedal.

This will be a bigger issue than first meets the eye. Aside from the standard information you’ll have on current employees, consider what information you hold about former staff. What do you do when a Subject Access Request (SARS) arrives? This may be from a customer or a disgruntled employee on a fishing trip.

Currently they have to pay £10, and you have 40 days to provide the information. This usually requires an awful lot of work sifting through emails, CRM systems, payroll, employee or customer files, as well as any hard copies. The new regulations remove (in most cases) the fee, and insist that responses are concise, transparent and easily accessible. There is also increased protection for individuals, requiring informed consent before processing their data. So the pre-ticked box or inferred consent by silence will not be allowed.

Like all these things, it is important that you have clear policies and processes that demonstrate your company complies with the data protection principles. The policies need to be specific about how and why data is collected and for how long it will be stored. Training staff about the importance of security and the risk of careless handling of sensitive personal data is paramount. This all plays a considerable part of being a responsible employer, so make sure data security is something you’re aware about and engaging with. Don’t land yourself with penalties that could put your business at risk.

Jayne Hart, HR Director, The HR Dept Newcastle

This was posted in Bdaily's Members' News section by Jayne Hart .