Implementation of the GDPR (General Data Protection Regulation) is looming as 25 May 2018, the deadline date, will soon be here. The GDPR is one of the biggest shake ups of data protection legislation for thirty years when the Data Protection Act 1998 came in. In order to protect personal data the law requires all organisations to tighten up on how they handle this from acquisition to destruction. In this article I provide tips to assist you with GDPR compliance.
1. Identify the data controller in your organisation. This should be a senior member of staff and is usually the Managing Director in a small company or with a larger organisation this can be either the Managing Director or a board member. The ICO (Information Commissioner) will need to be notified.
2. Consider appointing a Data Protection Officer. This person should deal with day to day data protection issues and be the company “fount of all knowledge” and the go to person for personal data issues. With a small company this role could be incorporated part time in an existing role. The Data Protection Officer role needs to know everything there is to know about data protection in order to give advice to colleagues. With a larger company the role could be recruited to or even appoint a consultant with data protection knowledge.
3. In order to comply with the GDPR it is essential to undertake a data protection audit as soon as possible. This could be coordinated by a project team from within the organisation or commission a consultant to undertake this potentially time-consuming task followed by the drafting of a report to highlight compliance gaps.
4. Having identified the compliance gaps gather together all the essential documentation that may be needed to comply with the law. Paperwork could include a data register, an asset register, asset management policy, updated IT policy, privacy notice, data protection officer job description, etc.
5. Review all existing documentation to see if it would stand up to scrutiny if there were a challenge to the integrity of processes. Changes may need to be made to employment contracts and staff handbooks for example.
With the recent high profile resignation of female BBC reporter Carrie Gracie the introduction of gender pay gap reporting highlights the tender trap that many organisations can find themselves in. The Equalities Commission is now going to look into Ms Gracie’s claims that two international reporters doing the same job as her were paid more than 50% than her.
Gender pay gap reporting introduced by the government in April 2017 requires that organisations who employ more than 250 staff are required to publish the pay gaps between men and women by April 2018 on an ongoing basis. The BBC have argued that they undertook an audit and considered there wasn’t a problem. However at least 150 women employed by the BBC don’t agree and are silently backing Miss Gracie’s very public outcry. She is so incensed that she has resigned. An inability of an organisation to produce the figures will have the public speculating as to the reasons why. Those who do publish damning figures may face damage to reputation and an inability to recruit. Pay is such an emotive issue and everyone wants to know that they receive a fair day’s pay for a fair day’s work. If women do the same job as men or the job is of equal value they should be paid the same. A job evaluation process could highlight the gaps which will then need plugging.
Despite almost fifty years of sex discrimination legislation in the UK the gap between men and women’s pay still exists. Men are paid on average 10% more than women, women are employed in the lowest earning sectors in the UK and are given bonus’s at least 5% less than men. See more about this on the ACAS website http://www.acas.org.uk/index.aspx?articleid=5768. It appears to still be a man’s world as they say.
Now the excitement of the Christmas and New Year festivities has faded it’s time to get down to business and look ahead to identify the HR trends for 2018.
One major trend is the increasing need to focus on data protection. In May 2018 there will be major shake up of data protection laws which have existed in the UK since 1984 designed to protect employees and consumers in how their personal information is held and managed by organisations. Organisations will need to undertake an audit of data protection procedures across departments to ensure personal information is handled in accordance with the new laws. An audit should methodically identify what data is held and why, who manages the data, what procedures are followed,and what needs to be altered to ensure compliance with the law. Subject access requests must now be handled within one month and without charging a fee. Employees and potential new employees must be informed as to the exact reasons why their personal data will be processed. Organisations need to draw up a privacy notice that should indicate what and how personal information will be managed. To be honest data protection isn’t the most exciting area of HR but unfortunately if companies don’t comply the consequences could be huge fines. To find out more there is a wealth of information on the Information Commission website https://ico.org.uk/
Following the success of Unison in the Supreme Court in July 2017 employment tribunal fees have been abolished. The fees were introduced in July 2013 and meant that if an employee wanted to take their employer to an employment tribunal for unfair dismissal they had to find £1200 which is a hefty sum if you have just lost your job. The Supreme Court decided that the fees were unfair and were a barrier to justice. Anyone who paid employment tribunal fees since 2013 is entitled to apply for a refund.
The statistics from 2013 – https://www.gov.uk/government/collections/tribunals-statistics – showed a dramatic reduction in the number of employment tribunal claims being lodged which was the main intention of the Conservative government. Since the abolition of the fees there has been a noticeable increase in the number of claims being lodged although at the moment they have not reached anywhere near the level in 2013 before the fee introduction. However, give it time. There remain a lot of unscrupulous employers out there who fail to treat their employees well. It now costs nothing to lodge a claim so during 2018 we could well see the trend in the number of claims rising.
The latest unemployment figures show the rate is 4.6% which means there is very little wriggle room for employers to find new staff. The skills shortage and therefore this trend in the UK will continue and may get worse. This is a phenomenon that has been around for quite a while in the UK with many industry sectors suffering and competing for staff. The skills shortage may get worse in some industry sectors with Brexit causing an impetus of skilled staff returning to their homes elsewhere in Europe.
On 25 May 2018 the General Data Protection Regulation (GDPR) comes into force and will replace the Data Protection Act 1998. It is designed to give tighter security to personal information. Data controllers and data processers are responsible for ensuring personal data is held securely. For organisations that breach the GDPR the fines are potentially huge – potentially running into millions of pounds – a fine of up to £10 million or 2% of turnover. The data controller carries the heaviest burden whilst data processors need to ensure that data is held confidentially and compliantly and security problems are addressed.
There are six processing principles – lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality.
So how can HR prepare an organisation for this onerous responsibility?
The first step would be to undertake a data protection audit. Depending on the size of the organisation it might be a good idea to create a project team from across different departments. For smaller organisations a team of at least two is ideal. The audit will then need to identify the data tjat is collected along with the purpose, identify the legal basis you are seeking to rely on, review data collection, storage, retrieval and record keeping, review service providers and data processors (including third party outsourced partners) and analyse risk from any compliance gaps. The organisation should then update or implement relevant HR policies such as data protection, recruitment, IT, disciplinary, whistleblowing, data subject access requests and privacy notices.
As many private sector organisations may not currently have a privacy notice in place it is essential to develop one that give information to employees on what and how their data will be processed. the privacy notice needs to also detail their rights and obligations clearly identify the Data Controller (usually the CEO) and what to do in the event of discovering a data protection breach. A detailed privacy notice could be issued along with an employment contract or become part of a staff handbook.
Given the seriousness of this forthcoming law and the implications for non-compliance, it might be a good idea to implement training in GDPR across the workforce.
If you would like assistance with a GDPR audit and GDPR toolkit then we can help. Give us a call on 07762 771290.
Breaking news today from the Supreme Court, who have decided that employment tribunal fees introduced in July 2013 are unlawful as they prevented access to justice and breached UK and EU law.
The case was taken to the Supreme Court ultimately by Unison who have fought this long and hard, but now successful battle. Many of the employees who have paid fees to take their employer to tribunal will now need to be refunded. The government will have to now pay out a whopping £27 million. Before July 2013 employees could take their employer to a tribunal without charge, but this changed in 2013 when fees topping £1200 were introduced for claims related to unfair dismissal and discrimination. This has lead to a dramatic decrease in the number of claims being lodged – 78% in three years. The reduction has probably been due to a lack of affordability by many employees unable to do anything about any potential unfair illegal treatment at work. If someone was unfairly dismissed they would more than likely not have the funds to take a claim having lost their job and income. This would be particularly relevant to employees with a with low or middle income.
Time will tell how the government will tackle the need to make changes. Whilst the Supreme Court has indicated employment tribunals should be free, tribunal fees may not be completely abolished but may perhaps be vastly reduced. The government will probably organise a consultation exercise before implementing any changes to fees.
In July 2013 the government introduced a mandatory one month ACAS conciliation period which has helped to resolve approximately 90% of cases without going to an employment tribunal. This process will probably still be retained as it appears to have been very successful in helping to reduce the thousands and thousands of claims that used to swamp the employment tribunal system.
Nevertheless, it seems that this barrier to justice will now be removed so law-breaking employers should beware.
The latest employment tribunal statistics – July to September 2016 – show a marginal increase of 2% in single claims compared to the same period in 2015 whilst there has been an increase of 45% for multiple claims for the same period. A multiple claim is one that contains multiple claimants on the same form.
The employment tribunal statistics show that the average time to dispose of a single claim was 26 weeks, but 205 weeks for a multiple claim.
4,300 single claims were received during July to September 2016 with 27,200 multiple claims and over 5,245 applications were made for remission of the issue fee which can range from £160 to £250. 4,623 claims received either full or partial remission. A fee remission can be applied for where a claimant does not have a certain level of savings in the bank and/or is on a low income or income support. A separate fee remission application must be submitted. Fewer applications were made for remission of the hearing fee which can range from £230 to £950.
The latest Pensions Regulator’s commentary and analysis has revealed that 66% of employees are now members of a pension scheme, compared with 47% in 2012. The Pension Regulator declares auto enrolment a success. It seems the historic decline of the working population to provide for their pension has been reduced.
Compliance rates of 95% have been recorded in relation to the first group of small and micro employers to implement automatic enrolment. Almost 60% of employers who are still to go through the process are micro firms with between one and four employees, and around 950,000 employers are forecast to implement automatic enrolment within the next two years. It is therefore important that small and micro businesses engage with the process.
The report also found that around three million employees have been enrolled in a master trust, and more than 185,000 employers used the ‘Duties Checker’ tool on the Pensions Regulator’s website between October 2015 and March 2016.
However, the implementation of this statutory process by all businesses, continues to face problems as it has been reported that enforcement action taken against businesses for failing to comply is up by 300%. The Pension Regulator has escalating powers to deal with non-compliance in the form of fines that can accrue on a daily basis. The Pension Regulator can also ndertake investigations and issue compliance notices.
In the next two years 950,000 small and micro businesses will have to put a pension scheme in place. If they do not understand the process they should be seeking advice as soon as possible.
Outdated or non existent employment contract and employee handbook
This is one of the main reasons I am contacted by small and medium sized businesses. It is quite easy for existing documents to get out of date as the employment law changes frequently. Despite the implementation of the Employment Rights Act 1996 that requires an employer to provide a new employee with employment terms and conditions (contract) within eight weeks of starting employment, many business still do not do so. Failure to provide this document can lead to compensation equivalent to up to four weeks pay in an employment tribunal. An employee handbook sets out the guidelines and rules that all employees have to adhere to and should be drafted in accordance with current employment law. Outdated policies could lead to wrong actions being taken against an employee and a possible employment tribunal.
Lack of understanding with employment law
Since the 1990s there has been a steady stream of laws related to employment that have been implemented in the UK. Employee issues such as disability, pregnancy, discrimination, health and safety and pay can be complex to deal with. Many laws now contradict one another and it takes an employment law specialist to unpick the essentials for any given employee situation. The cost of failing to understand current employment law could lead to an employment tribunal.
A disciplinary matter needs urgent attention
From time to time a serious situation may occur in the workplace and it is important that, even if it is minor, that it is dealt with quickly. Certainly in agross misconduct situation it is often essential to suspend an employee or employees as soon as possible whilst a thorough investigation takes place. Time is of the essence to ensure that any important evidence is not hidden or destroyed. It is important to take urgent advice where you feel you are lacking experience of how to adequately handle these matters.
An employee is not performing well
So many businesses have under performing employees that they fail to deal with. Unfortunately this can impact on profits and employee morale. It is not nice for fellow employees to see a poorly performing colleague not being dealt with by management. The matter should be dealt with in a structured legal framework to try and get the employee back on track. It can be time consuming to deal with but ultimately the employee can be fairly dismissed if a performance management process fails.
You have no time to deal with employee matters
Dealing with employee issues can be very time consuming. With a problematic employee you have to meet with them and keep a paper trail of what you have done to try and manage the situation. Most business owners prefer to keep their focus on the business which is time consuming enough without have to deal with problematic employees which is where HR can help.
Since pension auto enrolment was first implemented in the UK in October 2012 as a government initiative to ensure workers have sufficient pension savings for their retirement,the process has been gradually rolled out and s now affecting millions of small businesses. So having been in place for quite a few years now the government is seeking to make changes to pension auto enrolment.
Whilst large and medium sized companies in the UK have been required to comply with due process otherwise are facing huge fines, the government has become increasingly concerned about the impact of pension auto enrolment on small businesses with their lack of the resources afforded to bigger companies.
The government has now pushed back the dates for increasing contributions to April 2018 and 2019 in an effort to stave off a potentially looming crisis of small businesses and pension providers being able to cope. There has been media coverage about concerns of NEST, the only workplace pension without fees being able to manage as probably the main pension provider small businesses will look to due to its affordability. In the next few years millions of small businesses need to comply.
The qualifying earnings band for auto enrolment minimum contributions will remain at £10,000 in any pay period from April 2016. The qualifying earnings band for 2016-17 will be £5,824 and £43,000 per annum.
The DWP is aiming to simply auto enrolment with some minor changes from April 2016. There will be no need to auto enrol/re enrol company directors and members of limited liability partnerships, a simplified method for an employer bringing forward its staging date and a simplified time scale for employers to notify the pension regulator that they maintain an auto enrolment pension scheme. Consultation on these changes closes in February 2016.
One thing is for sure, as with all government legislation, these will not be the last changes to be announced by the government about pension auto enrolment.
In a landmark case the ECHR (European Court of Human Rights) have deemed that employers can read employees’ private messages whilst they are work. This has implications for UK employees who use Facebook, Twitter and other social media platforms to communicate with family and friends during their working day and highlights the increasing blur between workplace privacy as working hours become longer.
The case was taken by a Romanian engineer who messaged his partner on a private messaging platform. His employment was terminated by his employer who had a policy in place that banned staff from its employees making use of company resources for personal use. The employer had accessed his private messages on Yahoo as he also used this medium for work-related messages.
The ECHR decision goes to the heart of the employment contract with the implied term that in exchange for wages an employee commits the whole of their time to the employment for which they are being paid.
Some legal experts have warned that even after work hours have ended an employee should not use private messaging platforms for personal use with company smartphones, tablets or laptops.
Many employees may now assume that their employer could monitor their online activities whilst in work and should seriously consider what they do in this regard, however, it is important to note that in order to undertake monitoring of online activities, a policy should be in place that clearly states that this may or will take place. If there is no policy in an employee handbook for example, employers should now consider the need to establish this. An existing policy should be reviewed in accordance with this development.
A statement referring to online activity monitoring should ideally be included in an IT and/or internet use policy. An employment practices code linked to the Data Protection Act 1998 published by the Information Commission gives useful guidance on this matter. In the light of this ruling, the Information Commission may need to review its own guidance now.
In a policy the employer should be clear about the purpose of monitoring including the nature, extent and who will be doing the monitoring. With larger companies it would expected that it would be done by the IT department but small businesses would need to identify who would undertake the activiiy. The benefits of online monitoring should be included in the policy and ideally an impact assessment done to establish the risks. Monitoring should not be excessive and should only be done to meet a clearly defined purpose otherwise employees will develop mistrust of their employers intentions which is not conducive to a harmonious working environment.
Individuals who are undertaking the monitoring should be provided with training that includes maintaining privacy and confidentiality if accessing personal information. These individuals should have clear written guidelines in this regard.
If monitoring is to enforce company rules a link to the disciplinary policy should be stated with the procedure clearly explained along with sanctions for non-compliance.
Employees should be made clearly aware that the policy is being implemented or exists and has been reviewed. New employees should be informed as part of an induction procedure. Ideally an employer should get explicit written consent to monitoring in writing by implementing a consent form.