What we Expect to see in the Coming Months: GDPR
It looks like 2023 will be another busy year in data protection, with some significant changes expected to the UK data protection regime, as well as further guidance for employers from the ICO. We have set out some of the principal data protection themes relevant to employers below.
Updates to UK GDPR
In 2022 the UK government set out plans for a number of substantial updates to the UK GDPR. Discussions will recommence later this year. It is anticipated that the changes indicated by the Data Protection and Digital Information Bill will be the minimum changes made to the UK data protection regime. More far-reaching changes could be introduced in an attempt to reduce the burden on businesses.
The minimum changes that we expect to see that will affect the way in which employers deal with data subject access requests include:
- An amendment to the circumstances in which employers can say no and refuse to respond to a DSAR. The draft bill had proposed that employers can charge a fee or refuse to respond to a DSAR where the request is "vexatious or excessive". Previous governments had indicated a desire to move away from DSARs being processed where personal data or concerns about its processing are not the purpose of the request.
- A change to the definition of "personal data" so that it only needs to be considered whether an employer or others likely to receive the data are reasonably likely to be able to identify the individual in question. Essentially, this would be a more subjective test and may limit what is in scope of a DSAR.
Information Commissioner's Office Updates (ICO)
The ICO has indicated that it plans to provide individuals with a better understanding of how their information is used and accessed over the course of this year. Data subject access requests (DSARs) form a major aspect of this and the ICO has specified that it plans to introduce a new "subject access request tool" which will help individuals to identify where to send their requests and explain what they should expect from the DSAR process. It has also indicated that it will provide individuals seeking to exercise their rights with "easy to access answers" (that is, FAQs).
The ICO has also expressed its goal to reduce the burden or cost of compliance with data protection laws. It is seeking to accomplish this through a series of services, tools and initiatives "so organisations can benefit from the advice and support of the regulator when planning, innovating and managing information risk".
How the pandemic affected Gender Pay Gap Reporting
Measurement is vital to understanding how much of a problem the Gender Pay Gap is. The World Economic Forum (WEF) Global Gender Gap 2021 report found that the impact of the pandemic has pushed back the gap’s likely date of extinction from just under 100 years to 136 years’ time.
The pandemic and the many business decisions it created fell on women disproportionately. Working mothers were more likely to have their working hours reduced, be furloughed, or lose their jobs than their male colleagues.
The UK Government introduced regulations to improve the level of scrutiny of the gender pay gap. All businesses with 250 or more employees had to publish their gender pay gap. This began in 2018 and there quickly emerged a consistent pattern of gender pay inequality amongst millions of employees, within organisations and across many sectors. Not only did the pandemic damage the job and pay prospects for women but also the progress made in this form of reporting.
Just two weeks before the April 2020 deadline for private sector businesses to publish their April 2019 gender pay gap statistics, the Government announced that due to the pandemic there would be no mandatory requirement to report gender pay gap data in that year.
Despite the negative impacts of the pandemic on an employer's gender pay reporting, businesses should see this as an opportunity to work on effective strategies to reduce the gender pay gap.
Related Articles:
Gender pay gap reporting begins
Data Protection complaints increase since GDPR
Nearly 5 months since the General data Protection Regulation (GDPR) was introduced across all of the European Union, complaints around Data Protection have nearly doubled in the UK according to the Information Commissioner’s Office (ICO)
GDPR was designed to give Data Subjects more control over their personal data, with more transparency and the threat of larger fines to those in breach of the new rules. The GDPR requires any company that suffers a data breach to notify its users/data subjects within 72 hours of the breach being discovered.
• Data protection complaints to the UK’s ICO rose to 4214 in July compared to just 2310 complaints received in May before the GDPR came into force. A spokes person for the ICO said the increase was expected, as more users became aware of data protection because of publicity around the new rules and following a series of high-profile data scandals involving some well-known household names, like Morrison’s and Dixons Carphone.
• In July the ICO reported that since May 25th, it had seen a four-fold increase in the number of breaches that organizations were self-reporting.
Experts note, however that the increase’s do not mean that the number of data breaches has suddenly gone up, but rather reflects the full scale of the data breach problem becoming better known.
Organisations that fail to comply with GDPR can face fines of up to 4% of annual global revenue or €20 million, whichever is greater. So far none of the EU’s Data Protection Agency’s have levied any fines. Multiple DPA’s told the International Association of Privacy Professionals Advisor Newsletter that it is simply too soon.
We will be hosting a free online webinar on ‘GDPR 5 Months On’ on Tuesday October 16th at 11am, where we will look at the implications of GDPR on payroll processing and how employer’s can be demonstrate compliance by following a few, simple steps.
To register for this webinar please click here.
GDPR deadline gone - What now?
If you haven’t already updated existing policies for GDPR or if you haven’t started to look at the implication of the new regulations within your organization, you still have time. GDPR compliance will be an on-going process and therefore will need to be monitored and updated on a regular basis – it will not be just a one-off exercise, so it’s certainly not too late to make a start on those updates to get you on the road towards compliance.
The first thing you should consider is to create an inventory of all the personal data you currently store and/or process, whether that be data belonging to employees, customers or suppliers. This inventory will go a long way in helping you, as you will be able to garner from it any areas that need updating or creation of new procedures to help with meeting the GDPR requirements.
• Employee Privacy Policy - If you have employee’s, does the existing contract detail what data you process on them, with whom and what they’re rights are in relation to that data? If not then you would need to create an Employee Privacy Policy.
• Clean Desk Policy – Do you operate a Clean desk Policy? Whereby data belonging to customers or suppliers is not left out on desks overnight where cleaners/security staff may have access to them.
• Data Processor Agreement - Do you share any employee information with your accountant or pension provider? If so do you have a valid or up to date contract or letter of engagement covering the new GDPR stipulations between data controllers and data processor’s?
Realistically it will be difficult for any organization to ever be fully compliant with GDPR; however once you are not ignoring your obligations under the new rules and have or are in the process of taking steps towards demonstrating compliance this should be sufficient if you ever face a Data Protection inspection.
If you require further guidance on GDPR please see our dedicated support section on our website where you can find on-demand GDPR webinars, FAQ’s and template documents like a Data Processor Agreement.
Bright Contracts has also recently been upgraded to include a new Employee Privacy Policy feature whereby you can tick off another box to prove compliance under the new GDPR regulations. Download a free trial of Bright Contracts here. Book a free online demo of the software.
BrightPay - Payroll and Auto Enrolment Software
Bright Contracts - Employment Contracts and Handbooks
Privacy Policies - A GDPR Requirement.
One of the main principles of GDPR is that Data shall be processed lawfully, fairly and in a transparent manner, these three elements overlap and all three must be satisfied in order to demonstrate compliance.
Employers, as both Data Controllers and Processors, must be able to show how they comply with the new data protection principles and be clear and open with their employees about the processing of data and their rights. The GDPR stipulates that anywhere personal data is being collected, either directly or indirectly, Privacy Notices should be in place, these policies are critical to complying with the transparency obligations in the GDPR. So the introduction of an Employee Privacy Policy will cover the required elements and ensure demonstratable compliance in this regard.
The Privacy Policy should be written in a clear and easily-understandable format and must include;
• What data is processed – name, address, PPS no., bank details, etc.
• How it was obtained – employee detail request form, CV, ROS, etc.
• The ‘legal basis’ for processing the data – contractual necessity, legal obligation, etc.
• Who has access to it and any third parties– HR dept., payroll clerk, pension company
• How it is stored and security – HR system, Thesaurus software, encryptions, etc.
• How long it is kept for –set in company policies or statutory requirements
• The rights of the employee – right to access, rectification, erasure, etc.
• If data is transferred outside the EEA
• Contact details of Data Controller
We have recently upgraded our Bright Contracts software to include a new Employee Privacy Policy feature, so now employers can facilitate the main GDPR principle of lawful, fair and transparent processing of the employee data. We have also updated the Data Protection Policy within the Handbook and the Data Protection Clause within the contracts.
To download a free trial of Bright Contracts, click here.
To request a free online Demo of Bright Contracts, click here.
BrightPay - Payroll and Auto Enrolment Software
Bright Contracts - Employment Contracts and Handbooks
GDPR and employee files - What you need to know
The General Data Protection Regulation (GDPR) will come into force on 25th May 2018 changing the way we process data forever. The aim of the GDPR is to put greater protection on the way personal data is being processed for all EU citizens. Personal data can be anything from a name, an email address, PPS number, bank details etc so as you can imagine employers process a huge amount of personal data on a daily basis. So how will the GDPR affect employers in terms of processing employee data?
Consent
Data in the employment context, will include information obtained from an employee during the recruitment process (regardless of whether or not they eventually got the job), it will also include the information you hold on current employees and previous employees. All this information may be saved in hardcopy personnel files, held on HR systems or it could be information contained in emails or information obtained through employee monitoring.
Under GDPR your employee’s will have increased rights around their data.
These rights will include:
• The Right to Access. It’s not a new concept that employees will be able to request access to the data you hold on them. However, there is a new recommendation that where possible employers should provide their employees with access to a secure self-service login where they can view data stored on them. This backs-up the whole concept of transparency and ease of access to data, which underpins the new Regulations.
• The Right to Rectification. Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. This is an existing right and the onus is on the employer to ensure that your employee records are kept up-to-date. To help ensure you maintain up-to-date records, employers should make it easier for employees to update their data.
• The Right to be informed. Employers must be very transparent with employees about what data you hold, why and how long it is held for. Up until now it has been the common practice for many employers to include a standard clause in the employment contract regarding the processing of HR Data, under GDPR that will no longer be sufficient. Employers need to be reviewing their Employee Data Protection Policies and possibly writing new Employee Privacy Policies that go into detail on the processing of employee data.
Employee self service
Under the GDPR legislation, where possible employers should be able to provide self-service remote access to a secure system which would allow employees view and manage their personal data online 24/7. Furthermore, the cloud functionality will improve your payroll processing with simple email distribution, safe document upload, easy leave management and improved communication with your employees. By introducing a self-service option, you will be taking steps to be GDPR ready.
For information on employee files and how long to keep them please see our support page: Record Keeping Requirements
To book a free online demo of Bright Contracts click here.
To download your free trial of Bright Contracts click here.
BrightPay - Payroll and Auto Enrolment Software
Bright Contracts - Employment Contracts and Handbooks
GDPR FAQ's Answered!
The General Data Protection Regulation comes into force on 25 of May 2018. It is legislation with new rules and guidelines on how to protect and process personal data. It is replacing existing data protection regulations that dated back as far as 1988 – obviously pre-dating the era of internet and social media as we currently know it. We are all having to evolve; amending policies and changing how things are done to take into account the new GDPR rules, so here are some of the queries we are receiving into our Bright Contracts support lines on GDPR which you may find useful:
Does GDPR apply to me?
If you are a company in this country, if your company is a sole trader or a limited company, if you have employee’s working for you or customer’s paying you, then you will more than likely hold some form of personal data belonging to them (i.e. a name, an address, a PPS number, a VAT number) If you hold anything that could be classed as personal data then the new GDPR will apply to you.
What is Personal Data?
Personal Data is defined as, “any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify a person.”
It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. (This is not an exhaustive list by any means) So, do you hold any of that type of information in your company? Of course you do; whether it is your clients, your customers or your employees. Somewhere along the line you will be dealing with personal data.
What rights do employees have under the GDPR?
As Data Subjects*, employees will have new and enhanced rights under the GDPR. The key rights in relation to employees include:
• The right to be informed: this emphasizes the need for transparency in how personal data is used. Employers should now be looking to revise their data protection policies and to implement new employee privacy policies outlining exactly what data is being held on employees.
• The right of access – there are amended rights surrounding an employee’s right to submit a data subject access request. A data subject access request involves an employee requesting to view all data retained on them, this will include data stored electronically and on paper files.
- Time-frame for response has been reduced from 40 days to one month.
- It will no longer be permissible to charge a fee in order to respond to a subject access request.
• The right to rectification: individuals are entitled to have personal data rectified if it is inaccurate or incomplete. In fact it is recommended here that employers take steps to put the onus on employees to update their personal details should they change. For example, authorities will look unfavourably on employers who are communicating with employees through an old address having made no effort to ensure the address is correct. Employers are well advised to include a clause in employment contracts outlining the employee’s responsibility to notify the employer of a change in personal details.
• The right to erasure, also known as the right to be forgotten. The broad principle being that an individual has the right to request deletion or removal of personal data where there is no compelling reason to retain the data e.g. a legal requirement to retain employee data will always be a compelling reason to retain data.
* Data Subject: “an individual who is the subject of the personal data”.
Bright Contracts employee compliant GDPR policies are coming soon!
- If you would like to be notified when they are complete please click here
- For further information register now for our GDPR webinars click here
- Read our GDPR blogs here
To book a free online demo of Bright Contracts click here
To download your free trial of Bright Contracts click here
10 thing you NEED to know about GDPR
1) What is GDPR?
GDPR stands for General Data Protection Regulation and will come into force on the 25th of May 2018. GDPR is a European privacy regulation replacing all existing Data Protection legislation. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. The current data protection legislation dates back to 1998 – a time when internet usage and cloud technology was vastly different.
2) Who does GDPR apply to?
The GDPR applies to all businesses including sole traders, located in the EU that process personal data. It also applies to non EU organisations if they offer goods or services to, or monitor the behaviour of, EU citizens. It applies to all organisations processing and holding the personal data of EU citizens, irrespective of the organisations location.
3) What is personal data?
Personal data is defined as “any information related on a natural person or ‘Data Subject’ that can be used to directly or indirectly identify a person.” Personal data can be a:
• A name
• A photo
• An email address
• Bank details
• Posts on social networking websites
• Medical information
• CCTV images
• Records of websites visited
• A computer IP address
4) What are the 6 principles of GDPR?
Personal data should be:
• Processed lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• Adequate, relevant and limited to what is necessary
• Accurate and kept up-to-date
• Kept for no longer than necessary
• Processed in a confidential and secure manner
5) Where is a good place to start preparing?
A good starting point for preparing for GDPR is to create an inventory of all personal data held and answer the following questions:
• Why are you holding the data?
• What is the legal basis for holding the data?
• How is the data obtained?
• Why the data was originally gathered?
• How long is the data held for?
• How is the data saved? Is it saved securely?
• Is the data shared with anyone else and with whom?
As the GDPR requires organisations to be in a position to demonstrate compliance with its requirements, documenting the above will enable employers to:
• Identify and gaps in compliance
• Put in place processes to rectify gaps
• Produce evidence of its compliance on the new GDPR
In preparation for GDPR you must be aware of your data protection responsibilities and ensure that all employees are aware of their responsibilities when processing data. Ensure that you have an up to date data protection/privacy policies addressing the six principles of GDPR and apply it to your organisation.
For more information see: “12 steps to take for GDPR”
6) How do I report a breach?
A breach is defined as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of or access to personal data. Breaches must be reported to the ICO within 72 hours, but only if the breach is likely to result in a high risk to the rights and freedoms of individuals for e.g. result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Breaches likely to result in a high risk to the rights and freedoms of individuals must also be reported to the individuals concerned.
7) What are the consequences of a GDPR breach?
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements. There is a tiered approach to fines e.g. a company can be fined 2% of annual global turnover or €10 Million (whichever is greater) in some situations for lesser breaches.
8) Do I need a Data Protection Officer (DPO)?
The main role of the DPO will be to monitor internal compliance and it is mandatory to appoint a DPO for:
• Public Bodies
• Organisations engaged in large scale regular/systematic monitoring
• Organisations whose core activities consist of processing “special categories” of data or data relating to criminal convictions
• May be mandatory in other contexts as defined by Member State Law
9) What is Bright Contracts doing to ensure compliance with GDPR?
Data Protection has always been a priority for Bright Contracts and we’ve always aimed to act with complete integrity in this regard. We are committed to being GDPR compliant and are putting a number of security measures in place including:
• We are reviewing our privacy policy and making necessary changes where needed to ensure we are communicating accurately with our customers.
• In terms of the Bright Contracts content, we will be amending the appropriate data protection clauses in the contract and handbook. These will be completed well in advance of 25th May 2018.
10) How secure is my data in Bright Contracts?
Your Bright Contracts data files are encrypted so if someone gets a copy of your data they cannot read it. Whilst we have security measures in place to protect your data, it remains your responsibility to keep your sign in details secret and to sign out of Bright Contracts when you are not using it and to ensure there is no unauthorised access to your computer.
For further information register now for our GDPR webinars here
And read our GDPR blogs here
To book a free online demo of Bright Contracts click here
To download your free trial of Bright Contracts click here
The countdown to the GDPR is on!
With less than 5 month to go before the new General Data Protection Regulation (GDPR) comes into force employers are urged to start preparing immediately if they haven’t already done so.
What is it?
The GDPR is a European privacy regulation replacing all existing data protection regulations and will come into play on 25 May 2018. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.
The GDPR applies to all businesses including sole traders that process personal data (a name, photo, email address, bank details etc.) so it is safe to say that it will affect all businesses in some way. Employers are advised to be prepared otherwise they will face fines of up to €20M or 4% of annual global revenue, whichever is greater, for non-compliance. So how can you start preparing to ensure your business is fully compliant?
Preparation
A good starting point for preparing for GDPR is to create an inventory of all personal data held and answer the following questions:
• Why are you holding the data?
• What is the legal basis for holding the data?
• How is the data obtained?
• Why the data was originally gathered?
• How long is the data held for?
• How is the data saved? Is it saved securely?
• Is the data shared with anyone else and with whom?
As the GDPR requires organisations to be in a position to demonstrate compliance with its requirements, documenting the above will enable employers to:
• Identify and gaps in compliance
• Put in place processes to rectify gaps
• Produce evidence of its compliance on the new GDPR
In preparation for GDPR you must be aware of your data protection responsibilities and ensure that all employees are aware of their responsibilities when processing data. Ensure that you have an up to date data protection/privacy policies addressing the six principles of GDPR and apply it to your organisation.
For further information register now for our GDPR webinars here
And read our GDPR blog here
To book a free online demo of Bright Contracts click here
To download your free trial of Bright Contracts click here
What lies ahead for employers in 2018?
2018 looks set to be another busy year. We take a look at some of what’s coming down the pipeline.
April 2018 - Gender Pay Reporting
Private and voluntary sector employers in England, Wales and Scotland with at least 250 employees will be required to publish information about the differences in pay between men and women in their workforce, based on a pay bill ‘snapshot’ date of 5 April 2017, under the Equality Act 2010 (Gender Pay Gap Information) Regulations 2017. The first reports must be published by 4 April 2018.
Legislation in Northern Ireland mirror the above, except they also include fines of up to £5,000 for non-compliance, and a requirement to report on ethnicity and disability pay gaps, as well as gender.
April 2018: Termination Payments
The government plans to make changes to the taxation of termination payments from April 2018. The proposals include:
• removing the distinction between contractual and non-contractual PILONs (payments in lieu of notice) so that all PILONs are taxable and subject to Class 1 NICs]
• ensuring that the first £30,000 of a termination payment remains exempt from income tax and that any payment paid to any employee that relates solely to the termination of the employment continues to have an unlimited employee NICs exemption
• aligning the rules for income tax and employer NICs so that employer NICs will be payable on payments above £30,000 (which are currently only subject to income tax)
A government consultation on the issue closed in October 2016.
April 2018 – Restricting Employment Allowance for Illegal Workers
The government plans to introduce a further deterrent to the employment of illegal workers. From April 2018, employers will not be able to claim the Employment Allowance for one year if they have:
• hired an illegal worker
• been penalised by the Home Office
• exhausted all appeal rights against that penalty.
A consultation containing draft regulations closed in January 2017.
25 May 2018 – General Data Protection Regulations
The much anticipated General Data Protection Regulation will come into force from 25th May 2018. For those who haven’t already started preparing, now is the time. The GDPR will apply to ALL companies and sole traders that process personal data, the definition of personal data is broad and can include anything from a name, an email address or an IP address.
With possible fines of €20 million or 4% of annual turnover – which ever is higher, businesses need to sit up and take heed.
For further information of GDPR sign up to our employers webinar here or read our blog here.
To book a free online demo of Bright Contracts click here
To download your free trial of Bright Contracts click here
To subscribe to our newsletter click here
