December 9, 2017

What Does GDPR Mean for Your Business?

Are you unsure what GDPR means? Well, it means A LOT. Whatever the size of your business, you must comply with new regulations regarding the security, storage and use of personal information.

The ramifications of the European General Data Protection Regulation (GDPR) for UK trade are so significant that it’s being enacted here very soon – so forget about Brexit. It’s currently going through the UK parliament and will become law in a few months.

Many small business owners will already know that this far-reaching new legislation will come into force on May 25, 2018.

But many are also asking: what does GDPR actually mean for my business?

Major changes to current data protection regulations

You may have heard that Telecoms giant TalkTalk are currently being fined £100,000 for a significant data protection breach.

Rogue employees “sold on” at least 21,000 customer data records, including names, addresses, telephone numbers and account details, resulting in scam calls to TalkTalk customers.

The maximum fine the Information Commissioner can currently impose is £500,000.

But in twelve months, from May 2018, the maximum fine becomes approximately £18 million (20 million euro) or 4% of a company’s global turnover as a result of GDPR, a far-reaching piece of European legislation, coming into force.

The Information Commissioner’s Office is currently working on supportive guidance envisaged for publication about next March.

What are the consequences of GDPR?

The terms of GDPR stretch far wider than employment. Unsurprisingly, things like mailing lists and customer records are covered but, potentially, so too are web data – location, IP addresses, cookies etc.

Some organisations have a much greater exposure to GDPR than others. However, every organisation that employs staff is affected in some way. Just like the current Data Protection Act, GDPR has significant impact when processing employees’ personal data.

GDPR applies to you if you regularly deal with personal data, which includes present and past employees and suppliers, not just customer data.

Three questions to help you stay compliant

1. What are your current employment practices?

There are plenty of tricks of the trade you can sensibly adopt to make life easier and keep your employment practices compliant. For instance, the likelihood is that your employees currently give tacit approval to the processing of their personal data. That will change.

In future, you should assert your entitlement to their personal information because of legal obligations (deducting tax and national insurance for instance) or contractual necessity (like bank account details so you can pay them).

Things you may take for granted now – such as recruitment documentation – will sensibly be audited. Your application forms, offer letters, reference requests etc. should be reviewed.

2. What are the implications you may not have considered?

Have you thought about the more peripheral issues? Operating CCTV means you process personal data. And when employees provide details about their next of kin, do you have that person’s approval to hold their data?

A major issue in GDPR is confidentiality.

Where do you store employee records? Is it a locked filing cabinet accessible only to authorised managers? Or is it a shoebox in the stationery cupboard? If you keep it on a computer is access strictly limited and password protected? Is personal information you share electronically encrypted?

A midwifery assistant at Colchester NHS Trust was recently fined £1,715 (including costs) after accessing 29 patients’ medical records inappropriately. Only two were pregnant and six were actually men!

It’s highly likely that GDPR would also focus on why it was considered appropriate for such a junior employee to have unfettered access to sensitive personal data on such a wide-ranging basis.

Another consideration is how long to keep personal data.

What do you do when the original purpose for its collection expires? Can you say no if staff ask to check what you hold or want to know who you’ve shared it with?

3. Should you carry out a full audit?

This article is not intended to give you sleepless nights.

The Information Commissioner has been at pains to point out that her prime purpose in life continues to be to guide, advise and educate.

However, she’s equally clear that she absolutely supports the new European legislation and has long argued for a stronger data protection environment with significant deterrent penalties for offenders.

So let’s take it back to TalkTalk. Their fine under UK legislation was £100,000. That’s 20% of the current maximum penalty. 20% of the GDPR maximum would be about £3.5 million.

And even if you don’t get a massive fine, the reputational damage to your organisation can be very significant. Statistics show that people simply do not trust organisations that are careless with their personal information.

All of which suggests it’s well worth auditing your data protection provisions well before May 25th 2018.

If you are unsure about how GDPR applies to you, contact us on 0845 184 4615.

Want a round-up of stories like this delivered to your inbox?

About the author

Mike Fitzsimmons

Mike is a Senior HR Consultant within the Moorepay Policy Team. He is responsible for the developing of employment documentation and is an Employment law advisor. With over 30 years of senior management and HR experience, Mike has managed teams of between 30 and 100 employees and is familiar with all the issues that employing people brings. He has also served as a non-executive director on the Boards of several social enterprises and undertook a five year tour of duty as Executive Chair of a £30+ million annual turnover Government agency.