In the last of a three-part series looking at the new General Data Protection Regulation coming into force in 2018, South Coast HR outlines how the new law will impact SME businesses.

For many, if not all, SMEs, personal data is a key tool in targeting and retaining customers. Add to that personnel records, including details of unsuccessful job applicants and ex-employees, plus those of suppliers, prospects and all manner of other individuals and even the smallest of businesses is likely to hold a multitude of data.

The new General Data Protection Regulation[u4] , which comes into force on 25th May 2018, means that it must all be handled with the utmost care, more so than under the Data Protection Act that the GDPR replaces. Businesses will need to be able to account for all the personal data they hold, where and how it is held and used, and have procedures in place to comply with the rights that the new law gives data subjects (the individuals whose data you hold).

Complying with the GDPR

Complying with the new regulation has significant implications for SMEs[u5]  and demands action on three key fronts:

  1.    Consent – this is probably one of the biggest challenges facing SMEs. Under GDPR consent will need to be active and traceable, that is it cannot simply be inferred by, for example, a pre-ticked box. Businesses will need to be able to prove an undisputable chain of consent, such as screen grabs and signed consent forms, showing an individual’s consent to how and why their data is being held and processed. If the way their data is being held changes or the data collector wants to process it in a new way, then further consent will need to be granted.

Additionally, those individuals have the right to withdraw their consent at any time, be able to demand that easily and have their request actioned swiftly. Not only that, if an individual withdraws consent, they have the right to be forgotten, meaning that their details must be permanently erased, and not just deleted from a mailing list.

  1.    New rights for data subjects – the GDPR increases the number of rights that a data subject can exercise. The right to access, to have data rectified and to object to direct marketing remain. New ones include the right to have personal data processed for restricted purposes and the right to transfer data/have it transferred to another data controller (data portability).
  2. Notification – the GDPR will require anyone holding or processing data to keep a record of all the personal data they process, including details of the purpose of the processing, recipients of the data, transfers of the data, time limits for erasure and the technical and organisational methods and measures to protect the data.

Should a data breach occur, the data holder or data controller must notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it. Data subjects must also be notified as soon as possible, if the breach poses a threat to their rights and freedoms, and informed of any actions they should take to mitigate any risk.

The GDPR also introduces new regulations for organisations or businesses that gather and process the personal data of children, stating that ‘Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data.’

Preparing for the GDPR

For most SMEs preparing for the introduction of the GDPR will mean a change in company culture and a considerable amount of work, including:

  •       conducting a full audit on all personal data that is currently held and ways in which it is stored and processed
  •       conducting a gap analysis to identify where existing policies and procedures will require revisions to bring them into line with the new regulation
  •       work to bring those policies and procedures up-to-date
  •       identifying personal data that does not have the necessary consents
  •       gaining the necessary consents
  •       and/or permanently deleting personal data as required
  •       designing and implementing processes and procedures to meet data subject requests relating to their new rights
  •       devising and implementing processes and procedures regarding notifications and data breaches
  •       training staff involved in collecting, collating, handling and processing personal data on the GDPR requirements

South Coast HR takes a business-focused, no-nonsense, jargon-free approach to supporting businesses faced with challenges such as implementing the General Data Protection Regulation. While we are experts in the field of human resource management, SCHR recognises that the GDPR has a reach beyond HR alone and will work with business owners to ensure compliance throughout their businesses.

How we can help you

We can work with you to support with the HR element of GDPR compliance with the following:

  • Training staff on GDPR and what they need to be aware of
  • Working with you to gain explicit consent from employees regarding their personal data
  • Supplying a GDPR-compliant HR system like breatheHR

For more information on the GDPR and how we can help you comply, contact the friendly and expert team at SCHR on 01903 389085