GDPR Myth Busting for SMEs and mid-tier businesses

GDPR is coming, no doubt about it, on 25^th May 2018 all organisations in the UK will be required to be compliant with this new European regulation, regardless of size or sector.

What is GDPR anyway?

GDPR stands for the General Data Protection Regulations and is a European Regulation, which was adopted on 27^th April 2016 and becomes enforceable from 25^th May 2018. It is directly applicable in all EU Member States, including the UK, despite all the uncertainty over Brexit.

The intention behind GDPR is to strengthen and update existing data protection rights and laws, which have not been updated over the last 20 years, despite huge changes in technological advances and business practices.

The new legislation aims to give control back to individuals (called ‘data subjects’) over their personal data, whilst simplifying, harmonising, and regulating the use of personal data in an increasingly international and virtual business environment.

But what’s all the fuss about and how will it impact mid-tier businesses?

Over the coming months we will be looking at different aspects of GDPR and how these might impact your business from a Human Resources perspective, including:

• GDPR – How well do you know your data?
• GDPR – GDPR compliance when using third party suppliers
• GDPR – Consent and the employment relationship
• GDPR – Privacy notices and contractual clauses
• GDPR – Subject Access Requests
• GDPR – Data breach notifications
• GDPR goes live!

This month we will start by looking at some of the basic, cutting through some of the myths surrounding GDPR. Sign up to our newsletter to ensure you get each chapter as it comes through.

Fact vs. fiction

1. Brexit means UK businesses don’t need to comply with GDPR.

False – Regardless of Brexit all UK businesses must comply with GDPR. Effectively, GDPR will be implemented in the UK regardless of Brexit. To allow this to happen the government are taking a new piece of legislation called the Data Protection Bill 2017 through Parliament to gain Royal Assent, allowing the contents of GDPR to be represented in UK legislation post Brexit as a new piece of UK legislation that mirrors the requirements of GDPR.

2. I’m a small business, so I don’t have to do anything. GDPR doesn’t apply to my business

False – SMEs also have to comply with GDPR, however, there is a limited exemption for organisations with fewer than 250 employees in relation to record-keeping requirements. But be aware that this is only a narrow exemption and that the other requirements and principles of the GDPR apply regardless of the organisation’s size.

Organisations with fewer than 250 employees must still retain a record of their processing activity if the processing:

• is likely to result in a risk to the rights and freedoms of data subjects;
• is not “occasional”;
• includes special categories of data (i.e. sensitive personal data); or
• includes personal data relating to criminal convictions and offences.

In truth, it’s unlikely that even small employers will be able to rely on the exemption, as most employers will process special categories of data relating to their employees.

3. It’s just another “Millennium Bug”. It’s all a lot of fuss about nothing. It’s just an opportunity for consultants and IT firms to make lots of money out of me – I’ll take the risk of doing nothing!

True and False –  Firstly it’s entirely your choice, as a business owner, whether you decide to do anything about ensuring you are compliant with the new regulations. But as with everything, there are risks involved about doing nothing.

Specific risks and issues which need to be considered are:

• Financial penalties – you could be fined up to 4% of your total business revenue. In addition, GDPR also makes it easier for individuals (be they employees or customers) to bring private claims against companies. Any person who has suffered damage due to a breach has the right to receive compensation, including for distress and hurt feelings even where there is no financial loss.
• Negative publicity and poor business PR – Whilst you could say that “there is no such thing as bad publicity”, if you are a customer based company, using their data, when you make the headlines for non-compliance of data protection, you will lose customers and this will hit your bottom line.
• Increased employee relations issues – GDPR assigns additional and rights for your employees. Key changes include:
  • The right to erasure (known as the right to be “forgotten”);
  • The right to data portability;
  • The right to object – includes profiling, direct marketing, and processing for research; and
  • The right to not be subject to automated decision-making including profiling.

In a world where everyone seems to be very aware of their rights, especially employees, this is likely to result in additional time, effort, and resources, taking you and your HR team away from adding better positive value to your and business. Where employees are members of trade unions, (whether you recognise them in your own business or not) failure to comply with the regulations, is likely to result in employee relations issues and potentially increased numbers of employment tribunals applications. This costs your business time and money, and can have a detrimental impact on employee engagement.

Remember – the fee for employment tribunal applications has been removed, making it easier for employees to lodge claims. It has been predicted that GDPR is likely to increase the number of claims constructive dismissals. Additionally, employees would be able to make private claims against past employers.

But DON’T PANIC! Whilst it sounds alarming and time consuming, in essence, the majority of work needed to prepare for GDPR, involves reviewing your current data collection, management and transfers, ensuring these are complimented by appropriate documentation, with updated policies and procedures. Please contact us if you would like to discuss this and our thoughts on the impacts for your business.

Jude Owens, HR Director.