GDPR and Data Protection Training For Small Business Employees
So what do your employees need to know ?
Data Protection. The purpose of these article is to provide advice to employees of smaller companies who are in need of training in respect of data protection and how the GDPR will apply to them.
The Current law protecting information that organisations hold about individuals (or data subjects) is contained in the Data Protection Act 1998. This is now due to be placed by the General Data Protection Regulations or GDPR on 25th May 2018. They will be brought into force in the UK by the Data Protection Act 2018
Supervision of the regulations and enforcement of GDPR is the responsibility of the Information Commission or ICO. The law places responsibilities on your company as the controller of personal data (including employee’s data) but also applies to each employee. Failing to process data legally can be a criminal offence. The consequence for your company of a breach of data can be very serious and it can be ordered to pay large fines (up to 4% of the turnover if the previous year or 20 Million Euros, whichsoever is the larger) and for this reason employees who cause a breach may be subject to disciplinary proceedings.
What is Processing Personal Data
Personal data is any information that can be linked to a living individual anywhere in the world. This might be a name, images recorded on CCTV, an ID number, personal email or even an IP address. Processing personal data includes just having it in your possession, so an unused PC in a store cupboard still counts so long as there is personal data on it even if that is just one name. No company can process personal data without a reason, such as consent of the Data subject, legal obligation of the Data Controller, or with a view to entering into a contract with the data subject. A full list of the six data protection reasons can be found under Article 6 of the GDPR.
For the sake of completeness it should be mentioned that the GDPR applies to individuals not just companies unless the data is for ‘purely personal’ reasons. This includes pictures and information posted on social media so if you post a photograph of your friend on Facebook you are processing personal data.
What is Special Data ?
If your company processes what used to be called sensitive personal information then you have enhanced data protection responsibilities to the data subjects.
Special data is listed as being any data relating to:
• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• data concerning health or sex life and sexual orientation;
• genetic data
The Principles of Data Protection and the GDPR
Having defined personal data and special personal data is, and what is meant by processing the GDPR sets out the Principles of data processing which must be complied with. The personal data must be processed bearing in mind the following principles of Article 5 of the GDPR:
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Storage limitation
• Integrity and confidentiality
However for most purposes you only need to ask:
1. Is the information needed? (lawful, fair, purpose)
You should only ask for and process data that is relevant for the purpose you are keeping it. For example you would not ask for someone’s shoe size if they were booking a hotel room. The data you collect should be the minimum needed and not obtained for the sake of it.
2. Is it accurate?
The data you hold should be correct. Incorrect data can lead to loss to the data subject. For example if you record a person a bankrupt but then fail to update your records when the bankruptcy is lifted you would not be processing accurate data and this might to lead to loss if the data subject applied for a mortgage and was turned down.
3. Is it secure? (integrity and confidentiality)
Your company is responsible for preventing the loss of personal data by unauthorised access to it through, security measure and corporate procedures. Be careful who you pass data on to, check first if they are within the EU and if you have a legitimate reason to share the data you hold with that organisation. For example you may need to pass your employee’s details to an external payroll company and this would probably be lawful. Passing the same details to marketing company in the USA without reason would probably not be. Be careful with emails. It is very easy to send large amounts of personal data by email to other organisations without first thinking about whether or not it was lawful.
4. Would you mind the person seeing it (transparency, fairness, accurate, purpose)
The Data subject is entitled to ask your company data manager for all the personal data that your organisation holds in relation to him or her. This is so they can check what you hold is correct and is processed lawfully. The data subject can object under the GDPR if the personal data is inaccurate, being processed without need or unfairly. If you need to make critical records about a data subject you should choose your language carefully as they have a right to see everything. It is an offence to change, amend or update data after you have received a subject access request.
If you need any help with your GDPR and Data Privacy compliance call doming Moss on 01606 872200 or email firstname.lastname@example.org
The content of this note is provided for general data protection information only. It is not intended to amount to advice on which you should or can rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this note.