How GDPR Compliant Is Your Organisation’s HR Data?

The main principle behind the new General Data Protection Regulation (GDPR) coming into effect on 25 May 2018 is to protect people from having unnecessary data stored about them, and for too long. In fact, there are seven main principles that you will need to keep in mind when processing personal data, being:

  1. Lawfulness, fairness and transparency – you will no longer be able to charge a fee when you receive a request for data held, and it must be provided within a month
  2. Purpose limitation – data must only be collected for specified, explicit and legitimate purposes
  3. Data minimisation – it must be adequate, relevant and limited to the purposes required
  4. Accuracy – every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified, without delay
  5. Storage limitation – personal data should not be kept for anything other than the purposes for which it is being processed, or for longer than necessary
  6. Integrity and confidentiality – data must be processed using appropriate technical or organisational measures to ensure its security
  7. Accountability – you will need an officer or someone in your organisation to be responsible for, and able to demonstrate, compliance with these principles

Conduct an audit now!

It’s important that an audit is carried out as soon as possible prior to 25 May 2018. When preparing for GDPR, it may be necessary for various departments – IT, Legal, HR and Compliance – to collaborate, ensuring that data security is robust.

  • The audit needs to assess current HR data and related processing activities to identify any gaps with the GDPR.
  • Assess the legal ramifications on processing personal data. Although consent is currently necessary, it may not meet the more stringent GDPR requirements. Keep in mind that consent may be revoked at any time. You may need to rely on other legal grounds to continue to process employee personal data, but if it can’t be justified you must cease those processing activities.
  • If your business is in an industry that’s highly regulated, you may be able to rely on compliance with a legal obligation as a basis for processing certain employee data. For example, some financial services employers need to provide and update regulatory references for staff for up to six years after the end of employment. Or if you operate in a safety critical environment, you could rely on health and safety risks to justify more intrusive processing of employee data to establish fitness to work, for example.
  • Review or implement documentation. This information must be written in a way that is easy for employees and job applicants to understand, and should include three key documents:
    • Data Protection Policy
    • Privacy notices for employees and job applicants
    • Data Processing Consent documents as signed by your employees
  • To maintain the GDPR principle of data minimisation, you will need to delete data once it is no longer necessary. For this reason, as well as the rights of ex-employees and other data subjects requiring erasure or the restricting of data processing, consider the retention periods of your HR personal data. If you already have a data retention policy, check whether the existing retention periods for HR data can still be justified. You must pay particular attention to matters such as disciplinary warnings, and data retained after the end of employment.
  • Data breaches will need to be reported to the data authority within 72 hours of the breach occurring, so ensure a strict procedure is put in place. Allocate responsibility to certain people to investigate and contain a breach, and to make a report. Train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
  • You may need to appoint a data protection officer, either through recruitment or by training an existing staff member. They will be the accountable person and will liaise with the data protection authority.

The Information Commissioners Office (ICO) recommends 12 steps that you should take now, which you can access here. Or speak to me – I will be delighted to help you make sense of the new GDPR and how its principles should be applied to your organisation.

Helping You 

If you need help becoming GDPR compliant, I can provide your business with the documents that you need, which are:

  1. Job applicant privacy notice
  2. GDPR compliant data protection policy
  3. Employee privacy notice
  4. Form to make a subject access request

I can also offer an audit to assess compliance and the actions required and deliver training for your employees, either face to face or by webinar. Get in touch if you need any of these documents or some training. Call me on 0118 940 3032 or click here to email me.

Do You Know What the Latest Employment Law Changes Are?

April is the time of year when certain employment law changes come into effect. It’s important to ensure that your business is up to date with legislation. This can be difficult, especially if you don’t have an HR department. Highlighted here are some current and soon to be implemented changes that might affect your business.

Pensions and Auto-Enrolment Minimum Contributions

It’s important to remind your staff that this month, there will be a mandatory increase in contributions. Employers will need to contribute a minimum of 2%, and employees 3%, providing a total minimum contribution of 5% per month.

Statutory Rates

Most years, the Department for Work and Pensions proposes new rates for statutory payment in line with the Consumer Price Index. This year, 2018, the rates are as follows:

  • Statutory Maternity Pay (SMP) – paid at a rate of 90% of the employee’s average weekly earnings for the first six weeks, the remaining 33 weeks are paid at the statutory rate (or at 90%, whichever is lower). From 1 April 2018, the statutory rate increased from £140.98 to £145.18 per week.
  • Statutory Paternity Pay (SPP), Statutory Adoption Pay (SAP) and Statutory Shared Parental Pay (ShPP) – will also increase from £140.98 to £145.18 per week.
  • Maternity Allowance – payable for those who don’t qualify for SMP payment, this will also increase to £145.18 per week.
  • Statutory Sick Pay (SSP) – as from 6 April, the rate will increase from £89.35 to £92.05 per week. You can offer more if you have a company sick pay scheme, but you cannot offer less.

The amount that your employees must earn to be entitled to these rates is also increasing from £113 to £116 per week. Employees earning less than this will not be eligible.

National Living Wage (NLW) and National Minimum Wage (NMW) rates

As from 1 April 2018, the minimum hourly rates have increased slightly to the following:

  • NLW for employees aged 25 and over increased from £7.50 to £7.83
  • NMW for those aged 21-24 increased from £7.05 to £7.38
  • NMW for those aged 18-20 increased from £5.60 to £5.90
  • NMW for those ages 16-17 increased from £4.05 to £4.20
  • NMW for apprentices aged under 19, or over 19 but in their first year of apprenticeship, increased from £3.50 to £3.70

Changes to Tax on Payments in Lieu of Notice (PILONs)

As from 6 April 2018, an element of all payments received in connection with a termination of employment are chargeable to income tax as general earnings. Whereas previously, if you didn’t have a contractual right to make a PILON, any payment made in respect of an employee’s notice entitlement was regarded as ‘damages for breach of contract’ with the first £30,000 paid tax-free, with no NICs due. For further information on this, click here.

Employment Tribunal Maximum Awards and Limits

With immediate effect, the maximum amount of a week’s pay to calculate the basic award for unfair dismissal or a redundancy payment increases to £508. The maximum amount of the compensatory award for unfair dismissal increases to £83,682.

And finally, GDPR!

With all the publicity and hype around this topic, you are probably aware that the new GDPR – General Data Protection Regulations – come into effect on 25 May. To find out more about this from an HR point of view, read my newsletter here.

If you need advice on how any of the above relates to your business specifically, I’d be delighted to help. Do call me on 0118 940 3032 or click here to email me.