As an employer, you doubtless seek to ensure that you operate legally. Contracts of employment, staff manuals, equality compliance – all bread-and-butter HR practices.
But have you ensured you are ‘GDPR’ compliant? SMEs are equally subject to privacy laws as their larger counterparts, and just as vulnerable to legal and regulatory risks should they get it wrong.
Have you met the ‘transparency’ requirement with your staff? Have you provided adequate training to those handling sensitive data? And are you aware of how ‘weaponised’ privacy has become in employment litigation? These are as much ‘HR’ topics as legal ones.
This overview discusses the ‘basics’ of GDPR from a SME perspective, and will hopefully allow you to evaluate your level of current compliance.
Are you compliant?
There are many facets of GDPR which may apply to a business, depending on factors such as its size and the nature of data processing. These may include data protection officers, training, data privacy impact assessments, international transfers and 3rd-party processing.
However, even in small employers, there are basic requirements which must be met;
• Depending on the nature of your business, you may be required to register with the ICO and pay an annual fee. If you’re not sure if this applies to your business, you should check here;
• Even if you don’t need to pay a fee, GDPR will still be relevant and, if you employ people, you need to meet the ‘transparency’ requirement explained below;
• You may also wish to assess your overall compliance status with the ICO’s tool here.
Transparency – what the law requires
In the words of the ICO “Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR”.
The topic of privacy policies, how they apply to SME employers, and how we can assist with compliance, is discussed in greater detail in our guide GDPR and the Transparency Requirement.
Do you train employees in privacy?
One of the questions asked by the regulator in its small businesses self-assessment tool (see above) is “Do you and your staff (if you have any) know your data protection responsibilities?” In the explanatory text, it goes on to cite the example of a builder with a couple of office staff. The point here is that anyone handling personal data in their place of work should have an understanding of the law and how to manage data securely.
For most data controllers, there is plenty of relevant guidance on the ICO’s website, but it is essential that you not only deliver awareness information but clearly document the process.
If, however, you are processing either significant amounts of data, or particularly sensitive data, you should consider engaging professional support.
Bear in mind that, should a data breach occur through human error, the regulator is likely to question whether data handlers were given appropriate awareness.
GDPR and employment litigation
Should one of your (ex-)employees consult a lawyer with a view to launching employment litigation, the odds are that the latter will immediately recommend the submission of a GDPR ‘Subject Access Request’.
Lawyers harness this legal right as an evidence ’fishing’ tool – looking for that incriminating email to compromise you and bolster a claim of maltreatment.
They are well versed in casting their net as widely as possible, using broad language such as “all internal communications that relate to me, including emails and other electronic documents throughout the period of my employment”. They will also sometimes ask for information to which the applicant isn’t actually entitled, in the hope that an ill-informed employer will simply comply.
Whilst compliance with this may seem straightforward, there are areas where interpretation and judgement are required:
• Is the document actually about the data subject? Ordinary business communications, to which the applicant was merely a party in their professional capacity, are not in scope;
• Would disclosure of the data adversely affect the privacy rights of another employee? Even if their name was redacted? If so, disclosure may be inappropriate but redaction must be justified;
• Is the request sufficiently complex to warrant an extension of the one-month deadline?
• How should electronic records be searched and data extracted securely?
• With all of this in mind, should you ever receive a subject access request, you need to consult – immediately – someone with good knowledge of both the law and its practical application. It is very unlikely that your company’s regular solicitor can provide these capabilities.
GDPR and SMEs – How I can help
Firstly, there are a few reasons why I should help.
• All employers are vulnerable to disgruntled employees, and non-compliance with GDPR can leave them exposed;
• Designing GDPR documentation that would withstand legal challenge, or responding to a Subject Access Request effectively, requires knowledge and practical experience;
• Specialist privacy lawyers are often ‘overkill’ for smaller organisations and commensurately expensive;
Using a professionally-qualified practitioner minimises risk and legal liability
What is my approach?
• I will assess anything you already have in place and will not try to sell services where they are not required;
• My professional fees, agreed in advance, are low compared to larger consultancies or specialist lawyers;
• I offer a ‘virtual’ data protection officer package, with annual staff training and on-demand GDPR support, for a low fixed fee.
• I have over seventeen years of practical experience in privacy and information security in corporate settings, so can apply the law in a pragmatic manner and one suited to your actual requirements.
Michael Brunker CISM CIPP/E
Principal – BRP Consulting
Collaboration Partner – The Brooke Consultancy