Welcome to our GDPR special!
Welcome to our GDPR special. Like many of the readers of this article, we are ourselves a small business (with less than 10 employees.) and GDPR has been a herculean task. Although we’re not Personal Data consultants, we thought it might be useful to show how we have approached GDPR – you may like to consider using some of our templates and methods for your own business if you haven’t tackled this topic already. And make no mistake, if you haven’t you will need to.
GDPR laws become live on May 25th 2018 and while many organisations will be compliant by that point, we suspect many more will play catch up in the following months.
We will make full copies of the policy and all of its schedules available free to any subscriber to myHRdept who has a current Premium or Premium Plus package with us. We are also in the process of updating all of our customer employment contracts and HR handbooks – this will be a rolling programme of work over the next few months. If you’re not currently a Premium or Premium Plus customer, please scroll to the bottom of this article to find out how to become one.
First the legal stuff…we are HR consultants, not Data consultants and we offer no warranties with regard to any of the information following, nor with regard to information accessed via any of the links given. We accept no liability for errors or omissions and no responsibility for damages caused by your reliance on the information given or supplied separately from this newsletter – you should obtain independent expert advice before relying on any of the information given here. The information we have displayed here was published in May 2018 and we can only verify its correctness at that date for sure as eggs is eggs, it will change as the legislation develops.
Love it or hate it (hate it mainly) GDPR (applicable from May 25th 2018) is here to stay and there are some basic things those of us who run businesses need to get to grips with. In GDPR world we are ‘Controllers’ or ‘Processors.’ Or both.
A Controller determines what Personal Data (note the capitals…you’ll get used to that!) they are going to hold and how, a Processor uses Personal Data for some purpose or other. You employ people and therefore you are a Controller, if we are your HR supplier we will be a Processor of your Personal Data and we may process some of your employee’s Personal Data. As a Controller your responsibility is to ensure that we (and other) third party Processors process your and your employee’s Personal Data safely, and you’ll need an agreement with us to ensure we do that. If we are indeed your HR supplier already then we’ll send you an agreement to achieve this in due course.
There are some other basic principles – take measures to keep Personal Data secure; don’t hold Personal Data for longer than you have to, perform periodic checks to make sure all is well (and keep a record of these) and if you want to use Personal Data for anything other than permitted lawful use, or in the proper course of fulfilling a contract with the person who gave you their Personal Data, make sure you get their consent in writing.
The following is a section by section breakdown of the policy we have written for our business and all of its schedules. If you want the full document (and you are current customer) let us know and we’ll send you the whole shebang. In eth documents we send you we will mark the bits that we consider are bespoke to our business…and therefore you would probably need to alter to make it look like yours. Existing customers who have any questions should contact us – Bill and Jess have been lead authors for myHRdept, but it has haunted the whole team at one stage or another.
Note, if you choose to use our templates as a guide for your own GDPR system, you should still expect to spend 2 – 3 days preparing your own document set. It has taken us more than 6 weeks of solid effort to get this far!
In the remainder of this article I will describe the Data Protection Policy, and each of the 9 schedules we have annexed to it.
GDPR Data Protection Policy. The policy is the hub and describes Personal Data protection principles and the laws about how Personal Data may be obtained and processed. It describes what rights an individual has with respect to their own Personal Data and refers to a number of schedules for more detail. We chose to include the rest of the GDPR system documents as schedules to the policy for neatness, but they could equally be standalone documents. A lot of the GDPR policy is standard stuff, but there is some bespoke content in S11. All employees are required to read and sign the GDPR policy. We did this by printing off the policy and the schedules and putting them in one file. Given there are less than 10 of us physical signatures were easy, our 1 remote employee was emailed a copy and she scanned and signed the back sheet. The file is on display in the office for all to see.
Note that we have opted to not put the Data Protection Policy and all of the Schedules into our staff handbook. The policy and schedules amount to more than 60 pages and would have dominated a handbook that we’ve struggled for years to make as short and simple as possible. The exception is Schedule 5 – the Privacy Statement (employees and contractors.) That document is more suitable for a handbook and so we’ve included it there.
The first 3 schedules took the bulk of the time and required extensive enquiries with 3rd party suppliers to establish whether (or not) they were GDPR compliant and whether or not we needed to take measures to further enhance the safety or our handling and communication of Personal Data.
Schedule 1 – Data Impact Assessment. In many ways you should start with this document first. This was actually quite a useful exercise as it made us think about what Personal Data we handle, where it comes from and where it goes to. Since the regs require GDPR agreements to be signed with third party processors, this document was useful in identifying who they are (so that we could prepare agreements for them to sign – based on the template in Schedule 8.) We approached this document as a risk assessment – what could go wrong, and what might we do to stop this, or at least cover our backs legally if a third party processor did something wrong.
Schedule 2 – Record of Processing Activities. This schedule explains what information we keep and what we use it for. Given that we are a Data Controller for our own employee’s Personal Data and a Data Processor for our client’s employee information we covered both aspects in this document.
Schedule 3 – GDPR Security Measures. Having carried out our Data Impact Assessment and described what activities we use Personal Data for, the next step was to think about what we’re going to do to keep Personal Data secure. Most of the measures described in our document were in place already, but we also made some additional decisions, for example to ensure that we password protect documents that identify Data Subjects (aka ….people!) when emailing these to (and from) clients. We developed a password protocol that our team and clients will (hopefully) easily understand, but other parties receiving documents in error won’t. It also made us think about our anti virus software, and what minimum settings we wanted to maintain. We decided to change the way we take payments for ad hoc services, moving from an online system to a PCI compliant chip and pin terminal, totally independent of our other systems. Finally we banned the use of USB sticks for client’s Personal Data.
The point is that we genuinely thought about and improved the way we conduct our business with respect to Personal Data security and we learnt a great deal too.
Schedule 4 – Data Retention Periods. Simple this one, how long will we keep Personal Data for before we erase it, shred it or anonymise it. Later of course we have the not insubstantial task of going through 2TB of files to make sure there’s nothing in there beyond those periods.
Schedule 5 – Privacy notice (employees and contractors.) This is the first of 3 privacy notices, is now on our website and is also a standard part of our staff handbook. It informs staff about what we keep and why, what lawful grounds we have to process their Personal Data without further consent and what their own rights are towards the Personal Data we hold about them. We’ll make sure that every employee, worker or contractor we engage will be given one of these.
Schedule 6 –Privacy notice (candidates.) We do a lot of recruitment, mainly for clients and this notice is designed to be signed (auto-signing is fine) by candidates whose details we want to process, store or pass on. This will be an extra stage in the recruitment process but at least ensures that when we send on a candidate’s details to a client that candidate has given us permission to do so. This privacy notice is displayed on our website and adverts will be linked to it.
Schedule 7 – Privacy notice (website visitors.) The last privacy notice relates to web visitors themselves and talks about what we do with Personal Data we collect about them. It includes a (probably too brief) section on cookies and some information about how we use newsletters to help communicate with our clients and for e-marketing purposes. It’s worth noting that we are a ‘B2B’ company – we don’t market to members of the public and our services are designed only for other employers. This is significant because it means that we don’t have to ask for opt in permission in order to send out comms and marketing. If your business involves marketing to members of the public you will have to ask people to opt in – you’re probably already fed up of the ‘can we stay in touch’ emails from businesses.
Schedule 8 – GDPR 3rd party agreement. This is an agreement we expect third parties who may process our employee Personal Data (or a client’s employee’s Personal Data) to sign to confirm that they will adhere to privacy laws in the same way that we do. Each of these will be different because we use 3rd parties for different things and those things should be reflected in the agreement. Once the template was drafted, customising it for the half dozen or so regular third party processors we use didn’t take long. We took the decision not to seek 3rd party agreements with substantial companies we work with – Santander, Microsoft and Mailchimp being 3 examples….we have good cause to believe their security is adequate and we doubt very much that they would sign a 3rd agreement if we asked them anyway!
Schedule 9 – Audit. This short document describes the things we will check each year to make sure that our GDPR measures in place are actually working. We have decided to an annual check of employee computers, client files etc. at the quietest time of the year (mid summer for us) plus spot checks from time to time. We will share this with our employees to ensure that there are no surprises – we want a safe data culture, not a police culture!
And there you have it. In February I casually thought it would take a couple of days to reach compliance. On the 3rd May I’m finally in a position to tell you what we’ve done – and have been working on it most of every day in the interim. I realise by now many of our readers will have paid a consultant to sort this out for them, but for those that haven’t we hope the above is useful and, if you’re a myHRdept Premium or Premium Plus customer you’re welcome to the full set of documents as we have them, if you haven’t, why don’t you sign up and we can sort out employment contracts and GDPR compliant HR policies while we’re at it. If you made it this far, congratulations and thank you for reading.
Remember, we are not Data Protection lawyers or consultants, and we certainly don’t intend to be. Seek advice if you’re unsure and please remember we supply our document set to you free of either fee or liability to error or acts or omissions as a result of you relying on our GDPR document set.
If you're thinking of outsourcing your HR why not contact myhrdept.co.uk. With HR Outsource packages from only £140 per month (and from as little as £80 per month for start-ups) and support for HR Projects available for one-off issues, we believe we offer the best combination of quality and price available in the UK. Call us on 01628 820515 to discuss your requirements contact us and we’ll call you back.