[et_pb_section fb_built=”1″ _builder_version=”3.22.3″][et_pb_row _builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”3.25.4″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”]<\/p>\n
Over the last week, the main topic of HR conversation has been about how small businesses need to prepare for GDPR. Some discussions have been very proactive, but there are many that believe they do not need to prepare for GDPR as it does not affect them. This is because either because they are too small a business or because the UK is soon leaving Europe so it doesn’t matter.<\/p>\n
If you have been\u00a0living in your own bubble then you will know that large organisations have had huge security breaches – the top 31 Infamous data breaches<\/a> include the likes of Tesco, Morrisons, and Uber to name a few. As of May 25th this year, the Data Protection Act of 1998, yes its been that long since it has been updated, will be replaced with the General Data Protection Regulations (GDPR).<\/p>\n I understand on top of everything else a small business owner has to do, having to prepare for GDPR will seem like another weight on your shoulders. Hopefully, this blog shall help you become proactive (rather than reactive) and ensure that you know who has access to your data and what they are doing with it.<\/p>\n Unlike some changes to law where websites can be a bit vague, the ICO website<\/a> has an abundance of information on the changes, how to prepare for GDPR and lots of checklists and guides to help you along the way. Some organisations will need to register with the ICO – there is a handy tool to find out if you do or don’t need to register, but if in doubt for \u00a335 it is better to register.<\/p>\n The ICO website has a great checklist to help you see where you might be at risk within your business with lots of examples of how to deal with things like Subject Access Requests or how to record what data you hold. If you are like me, small business owner who has a database of people who I have met whilst networking, I will shortly be asking all my contacts to opt into receiving my newsletters and blog updates because, if you can’t prove consent, you could be in breach of the new GDPR regulations.<\/p>\n One thing the regulations make clear is that it should be as easy to opt-in as it is to opt out. If you use something like MailChimp to send out newsletters, it already has this feature built-in for people to opt out and keeps an audit trail for you. If you want to succesfully prepare for GDPR, make sure this feature is turned on!<\/p>\n Now I do understand that some might take one look at the ICO website and think “I’m never going to understand all this!”<\/em> Well, you are lucky that there are now organisations that are specialising in completing audits for businesses. Fusion Forensics<\/a> is not only holding seminars to help companies prepare for GDPR but also offering audit services. Other organisations also offer similar services but please make sure you do your research to make sure that they are a legitimate company.<\/p>\n If you don’t have policies<\/a> in place already, you will need to have policies such as IT Policies to confirm that you are allowed to place monitoring software on machines. You need to ask questions like do your staff have mobile phones that have company data on it such as emails? Do you have the policy to show how you protect that data should the phone be lost or stolen? As you will need the answers!<\/p>\n According to the new Consent in Contracts of Employment, in order for you to hold personal data on any new staff after 25th May 2018, you will need to get consent to hold the data, plus lay out exactly what data you hold on that person and state how long you will hold it for.<\/p>\n You need to look at what data you hold on your staff, suppliers, and contacts and ensure you have a policy on what data you hold, why you hold it and what you do with it. Companies will need to look at their own regulations and ensure that retention policies are put in place. Any current data you have locked away in dusty cupboards or in secure data holding centres will need to be reviewed.<\/p>\n Recruitment and Absence are just a couple of policies that will need to be reviewed.\u00a0 Ensure you are clear about what data you will hold for example in the case of long-term absence, how long will hold doctors records for and how will you ensure data is destroyed in the correct manner.<\/p>\n What happens if you have a data breach<\/a>? You need to ensure that you have policies in place to deal with these, much like when someone has an accident in the workplace.<\/p>\n Part of the 6 New Principles in the GDPR is awareness training. All staff must be aware of what they are allowed to do with the data that they have access to. In the next few weeks, Upskill People<\/a> will be launching their new Data Security Essentials E-Learning Course that will help you prepare for GDPR and explain your employee’s responsibilities. In a similar vein to Health and Safety or Fire Training, this will need to be reviewed every 6 months with documented training records for all staff.<\/p>\n 2018 is not the Year of the Ostrich so don’t bury your head in the sand.<\/p>\n Instead, make sure that you:<\/p>\n If you’re feeling overwhelmed with everything you need to do to prepare for GDPR, I can help! Please get in touch with me at kate@kateunderwoodhr.co.uk<\/a><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=”1″ admin_label=”Posts Footer Section” _builder_version=”3.24″ global_module=”3751″][et_pb_row _builder_version=”3.25″][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_blurb title=”Don\u2019t keep it a secret” use_icon=”on” font_icon=”%%83%%” icon_color=”#ffffff” icon_placement=”left” use_icon_font_size=”on” icon_font_size=”104px” admin_label=”Don\u2019t keep it a secret” _builder_version=”3.24″ header_font=”||||||||” header_font_size=”44px” header_line_height=”1.1em” background_color=”#97026d” text_orientation=”center” background_layout=”dark” custom_margin=”||2px” custom_padding=”25px||25px”]<\/p>\n Did you find this blog useful? Think you have fellow business owners that would too? \u00a0Feel free to share or \u2018like\u2019 using social media buttons to the left.<\/p>\n [\/et_pb_blurb][et_pb_cta title=”Sign up to my blog” button_url=”https:\/\/blog.kateunderwoodhr.co.uk” button_text=”Sign Up” admin_label=”Sign up to blog” _builder_version=”3.24″ header_font=”||||||||” header_text_color=”#97026d” header_font_size=”49px” body_font=”||||||||” body_text_color=”#97026d” body_font_size=”20px” background_color=”#a2bdf2″ global_module=”4481″]<\/p>\n Did you enjoy reading this blog?\u00a0 if so please sign up so you can receive them directly to your inbox each week … keep your FOMO in check.<\/p>\n [\/et_pb_cta][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" Whether we like it or not, small businesses must prepare for GDPR. It is no good burying your head in the sand, you need to be proactive now before its too late<\/p>\n","protected":false},"author":4,"featured_media":202,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":" In the last week, the main topic of conversation has been about GDPR.\u00a0 Now some of the conversations I have had have been very proactive but there are many that think that GDPR does not affect them.\u00a0 This is because either because they are too smaller business or because we are leaving Europe so it doesn't matter.<\/p> If you have been\u00a0living in your own bubble then you will know that large organisations have had huge security breaches - the top 31 Infamous data breaches<\/a> include the likes of Tesco, Morrisons, Uber to name a few.\u00a0 As of May 25th this year the Data Protection Act of 1998, yes its been that long since it has been updated, will be replaced with the General Data Protection Regulations (GDPR).<\/p> I know with everything else a small business owner has to do, now there is something else.\u00a0 Hopefully, this blog might help you get on proactive rather than reactive and ensure that you know who has access to your data and what they are doing with it.<\/p> Unlike some changes to law where websites can be a bit vague the ICO website<\/a> has an abundance of information on it and lots of checklists and guides to help you along the way.\u00a0 Some organisations\u00a0will need to register with the ICO - there is a handy tool to find out if you do or don't but if in doubt for \u00a335 it is better to register.<\/p> The ICO website has a great checklist to help you see where you might be at risk within\u00a0your business with lots of examples of how to deal with things like Subject Access Requests or how to record what data you hold.\u00a0 If you are like me who has a database of people who I have met whilst networking, I will shortly be asking all my contacts to opt into receiving my newsletters and blog updates as if you can't prove consent then you could be in breach of the new regulations.\u00a0 One thing the regulations make clear is that it should be as easy to opt-in as it is to opt out.\u00a0 If you use something like MailChimp to send out newsletters then it already has this feature built in for people to opt out and keeps an audit trail for you - but just make sure this feature is turned on.<\/p> Now I do understand that some might take one look at the ICO website and think I am never going to understand this - well you are lucky that there are now organisations that are specialising in completing audits for businesses.\u00a0 Fusion Forensics<\/a> is not only holding seminars on GDPR but also offering this service.\u00a0 There are other organisations that are offering such services but please as with everything beware - make sure you do your research to\u00a0make sure that they are a legitimate company.<\/p> If you don't have them already then you will need to have policies such as IT, for example, to confirm that you can put monitoring software on machines.\u00a0 Do your staff have mobile phones that have company data on it such as emails?\u00a0 Do you have the policy to show how you protect that data should the phone be lost or stolen?<\/p> Consent in Contracts of Employment to hold personal data will no longer okay, for any new staff after 25th May 2018 you will need to get consent to hold the data, what data you hold and how long you will hold it for.<\/p> You need to look at what data you hold on your staff, suppliers, and contacts and ensure you have a policy on what data you hold, why you hold it and what you do with the data.\u00a0 Business will need to look at their own businesses and ensure that retention policies are put in place.\u00a0 Any current data you have locked away in dusty cupboards or in secure data holding centres will need to be reviewed.<\/p> Recruitment and Absence are just a couple of policies that will need to be reviewed to ensure you are clear about what data you will hold for example in the case of long-term absence, how long will hold doctors records for and how will you ensure data is destroyed in the correct manner.<\/p>Prepare For GDPR By Reviewing The ICO Website<\/h3>\n
Complete An Audit<\/h3>\n
Policies<\/h3>\n
Processes<\/h3>\n
Training<\/h3>\n
In Summary:<\/h3>\n
\n
Review the ICO website<\/h3>
Complete an Audit<\/h3>
Policies<\/a><\/h3>
Processes<\/h3>