With the new regulations coming into effect soon in the UK, one company has offered its advice for a smooth process for your business.
KashFlow HR has produced a series of steps to take in order to make sure your business’s HR function is fully compliant with the new General Data Protection regulations that will come into effect imminently.
Smallbusiness.co.uk reports that the Federation of Small Businesses’ research shows a third of the UK’s small businesses are “unprepared for the GDPR deadline of 25th May 2018, and a further 35 percent have failed to start preparations.” Therefore, KashFlow HR has offered the following tips.
The company’s first nugget of wisdom is to ensure you have the “specific, informed and unambiguous” consent of your employees to hold data on them. It also adds that you will need to provide “an easy opportunity for employees to withdraw their consent at any point,” should they so wish.
Secondly, KashFlow HR advises that in line with GDPR, you should only hold data for as long as is necessary. Should you wish to keep data – such as a CV of a candidate you didn’t ultimately hire, in case you wish to hire them in the future – you must again have specific consent.
Further advice given includes the fact that when seeking consent, you must explain to employees what their data will be used for, and therefore you can only use it for that stated purpose.
Similarly, GDPR obligates companies to tell anyone affected by a data breach of this fact within 72 hours of becoming aware of it. GDPR compliance therefore hinges on keeping your data secure and encrypted, both when it’s stored and when it’s transmitted – either by email or any other method. Limiting the number of people who may access employees’ personal data is also an effective tactic, according to KashFlow HR.
Employee data will also be limited under GDPR to that which is directly related to the role and management of the employee – therefore, data such as marital status may not be necessary and companies must ask whether it is good practice to keep such data.
As always, transparency is key, and employees have the right to know what personal data is being processed, and why, as well as where it is being held. KashFlow advises that an effective and non-labour-intensive method of doing this is a secure ‘self-service’ system, whereby employees can access and view their own data, and amend it themselves if necessary.
The company also recommends carrying out a full audit of all your employee data to make sure it is GDPR compliant, paying specific attention to the “crucial element” of security. It also advises that you may need to appoint a member of staff responsible for ensuring compliance, depending on the size of your business. It adds that “at every stage of this process, you should also make a documented note of how you comply with GDPR – as you may be asked to prove this or risk fines.”
