A date with new HR data laws – your responsibility to keep information safe

Data protection is a top priority for all businesses. No matter how many people you employ you’ll need to make sure you’re keeping their data safe

Soon this will be of even greater importance when the General Data Protection Regulations come in. Penalties await businesses that fail to meet their data protection obligations. In this week’s blog we’re helping you to figure out whether you’re on the right track…
Responsible for the HR administration in your business? You’ve got a lot on your shoulders.
Keeping track of data and ensuring its usable is a big challenge. Believe us, it only gets bigger the more your business grows! But forget how you use the data you hold for a minute, because we’re talking about your the duty to keep the information you hold about your staff safe.
Data security legislation is up there with Health and Safety, as some of the most hated and ignored aspects of employing people by SMEs. However, you won’t be able to cast a blind eye to it when the new General Data Protection Regulations come into force in May 2018. You may have under two years to prepare, but prepare you must. The fines for non-compliance can be as high as 4% of your annual turnover for a fundamental breach. Now we’ve got your attention!
Although these new regulations are EU-based, they will be in place before Brexit and it’s unlikely they’ll be lightened. Data security issues are only likely to become more serious, so the UK government won’t be taking its foot off the pedal.
This will be a bigger issue than first meets the eye. Aside from the standard information you’ll have on current employees, consider what information you hold about former staff. What do you do when a Subject Access Request (SARS) arrives? This may be from a customer or a disgruntled employee on a fishing trip.
Currently they have to pay £10, and you have 40 days to provide the information. This usually requires an awful lot of work sifting through emails, CRM systems, payroll, employee or customer files, as well as any hard copies. The new regulations remove (in most cases) the fee, and insist that responses are concise, transparent and easily accessible. There is also increased protection for individuals, requiring informed consent before processing their data. So the pre-ticked box or inferred consent by silence will not be allowed.
Like all these things, it is important that you have clear policies and processes that demonstrate your company complies with the data protection principles. The policies need to be specific about how and why data is collected and for how long it will be stored. Training staff about the importance of security and the risk of careless handling of sensitive personal data is paramount. This all plays a considerable part of being a responsible employer, so make sure data security is something you’re aware about and engaging with. Although from 2012, here are some real life breaches and the penalties the organisations incurred as a result of them.
If you’re not sure quite where to start, The HR Dept can help, and there are some useful links below.
To keep your data secure why not move it onto a secure server like the one we use for our HR Toolkit platformChoose the right one and it’ll keep your data safe through encryption and password protection, as well as make your paper files redundant. No more trips to the shredder then!
The ICO (Information Commissioner’s Office) has a 12 step guidance plan, click here to take a look.


Sponsored by
Ian heads up the HR Dept Edinburgh & the Lothians team. The HR Dept specialises in helping SMEs with everything to with employment, through a local and personal service delivering practical and pragmatic advice and support. With nearly 30 years HR experience, Ian has a wealth of experience in helping businesses to ensure success through their people, be legally compliant and handle tricky people issues. As a business owner himself, Ian understands the challenges that come with running and growing a business. He is known for his ability to explain complex concepts simply and to make learning fun and enjoyable.