The impact of GDPR will be felt far and wide Designed to better safeguard the personal data of EU citizens, the new regulation represents a significant change to data protection and privacy rules:
GDPR comes into effect on 25 May 2018, meaning businesses must be ready to comply by this date.
Never mind “Brexit means Brexit”. GDPR means GDPR. Despite our ongoing divorce from the EU, UK companies will still have to abide by the new rules. Plans for implementing GDPR were confirmed in the 2017 Queen’s speech.
It’s not just UK and European businesses that have to comply. Any company that touches EU citizens’ personal data is affected, regardless of where the business is located – making GDPR a truly global data protection regulation.
Transparency and consent are key It used to be that consent for employee data was implied, or part and parcel of employment. But GDPR means that’s no longer the case. From a transactional perspective here are some key principles and guidance for you to consider:
Explicit consent is a critical facet of GDPR, meaning companies must ask their employees for permission if they want to use their personal data.
For employees to be able to grant consent, they must be given a clear understanding of what personal data will be gathered and how the company intends to use it.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
It must be as easy to withdraw consent as it is to give it.
Businesses must keep records that show the date on which consent was given, what was consented to and how it was obtained.
Among the most effective ways to achieve this is by using the ‘double opt-in’ method, whereby an employee tick on an initial form triggers a follow-up email to them, incorporating a hyperlink that they can use to confirm all the details are correct. The returning email confirmation from the subscriber provides suitable evidence of consent under GDPR.
Here at Caburn Hope we believe there are two factors of successful communication ‘transactional’ and ‘emotional’. So, whilst on the surface GDPR may seem like a matter of putting the right processes in place we’d urge you to consider the way you engage your employees with the new requirements and rights that GDPR brings.
Employers should create transparent communications setting out the information employees need, and engaging them with compelling messages around why employee data is needed. A focus on positive outcomes for employees is essential to encouraging consent – for example, if an employee knows that use of their data helps the company devise personalised communications and reward packages, they’re far more likely to give permission.
From employee consent to customer consent and beyond, an alarming 69% of UK companies are not prepared for the changes GDPR will bring.
Businesses that don’t comply with the new data protection rules face huge fines: up to €20 million or 4% of annual worldwide turnover.
Understanding the value of HR data If you’re thinking, “Well, maybe we don’t need all that employee data,” hold fire. Data is a crucial enabler of employee engagement. In the same way retailers leverage loyalty card data to target their customers, employers can use employee data to tailor the way they communicate, influence behaviours and drive productivity. So, rather than looking at GDPR as yet another administrative burden why not take this opportunity to re-engage with your employees and establish open and transparent lines of dialogue with them.
If you need help with any aspect of communicating and implementing GDPR please do get in touch.
 Reform of EU data protection rules – European Commission  Queen’s Speech: new data protection law – BBC News  The global impact of GDPR – The Global Legal Post  Are You Ready for GDPR? 69% of UK Businesses Aren’t – Commstrader.com  Regulation (EU) 2016/679 – Official Journal of the European Union