The General Data Protection Regulation and employee data: Good news for SMEs
Here are five pieces of good news for small and medium enterprises (“SMEs”) about handling employee data under the GDPR – including why it represents an opportunity for SMEs to strengthen employee engagement.
- Many core data protection principles remain the same
The new law is not a complete rewrite of the old regime - many of the rules on processing, transfer of data and access to personal data will be very familiar. See our GDPR Learn-o-Graphic for more information about what’s changing, and what’s staying the same under the GDPR, as well as practical steps to take now.
- SMEs receive special treatment:
- SMEs (here, organisations with under 250 employees) are excluded from some of the more cumbersome new requirements to keep records of processing activities (Article 30 of the GDPR);
- There may be further exemptions for SMEs when implemented by the UK nationally (and across the EU). However, exemptions are likely to be fairly limited as the GDPR is aiming for a more consistent data protection regime overall;
- Unless your organisation carries out large scale monitoring or processes specific sensitive personal data (or you are a public body) then it is unlikely you will be required to appoint a data protection officer, although some organisations may choose to do so.
- Rules on employee consent to process personal data are being clarified
There was always concern that employees do not give genuine consent for employers to process their data when it forms part of employment documentation. Under the GDPR consent must to be as easy to withdraw as to give – opening the door for disgruntled employees to withdraw consent at any time leaving the employer without a lawful basis to process HR data.
Many employers will use this as an opportunity to identify alternative grounds for lawful processing of employee data which do not have these pitfalls. For more information and practical tips see the Data Subject Access Rights section of our GDPR Learn-o-Graphic.
- Data subject access requests: you already have a headstart
Most employers have had to manage data subject access requests for years - the rules are being tightened and time frames shortened. SMEs should use this as an opportunity to update old policies and procedures and make clear that you take your obligations seriously. Again, see the Data Subject Access Rights section of our GDPR Learn-o-Graphic.
- A valuable employee engagement exercise
“Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong”, according to the ICO Deputy Commissioner for policy.
Practical steps to implement the GDPR will vary between organisations, depending on their size, what data they process how and why. But understanding how employees want their data to be handled and communicating implementation effectively could send a powerful message to employees: that they are valued, enhancing trust as well as the quality of information. Similarly, many businesses regard the GDPR as an opportunity to improve value to customers and to innovate by making the best use of the data you handle.
Overall, it is our view that unless an SME conducts high risk processing, or fails to take reasonable steps to implement the rules, then the focus will not be on such organisations - for now.
What should you do now?
SMEs should plan now for the GDPR, to make the most of the opportunities it represents as well as to ensure compliance. We offer a simple, checklist based approach to analyse what data you process, how and why, to provide you with a user-friendly structure for ensuring compliance.
If you have questions or concerns about practical implementation, please get in touch with Guy Abbiss at firstname.lastname@example.org or Emma Clark at email@example.com so we can guide you through the steps to getting your business compliant and making the most of the new rules.
The ICO has also produced a helpful toolkit for SMEs on the implementation of the GDPR: