GDPR lessons learned

Following the first two major fines for GDPR infringements, Eleanor Deem reminds us of the lessons that can be learned from these cases.

After the first year of GDPR implementation passed by with relative leniency from the Information Commissioner’s Office (ICO), we heard recently about two large ‘example’ fines for GDPR infringements. The first was British Airways, £183m for a data breach involving customers being diverted to a fraudulent website, and the second for £99m for hotel chain Marriott, after hackers stole personal data of 339 million guests.

Neither of these breaches involved employee data, but there are lessons to be learned for small employers, both from the cases themselves, and also from the wider developments since GDPR was first implemented in May 2018.

The party’s over

The most obvious lesson from the BA and Marriott fines is that the ICO has decided that any ‘grace period’ is now over. A couple of ‘headline-grabbing’ examples were a clear signal that serious data breaches are now more likely to attract painful fines. BA’s fine represents 1.5% of global revenue, which is not anything like the maximum possible fine of 4%, but could your business easily sustain a fine of 1.5% of turnover? 

Public awareness

Members of the public, including your clients, customers and staff, are now very much more aware of their rights when it comes to their privacy and information held about them. We have seen a sharp rise in the number of Subject Access Requests (SAR), where individuals request to see data held on them. Many small employers had never had any of these before, so the increased number is catching many by surprise and causing serious administrative headaches.

What you should do now

There are five steps any small employer can take right now to ensure it can cope easily with a SAR, and to minimise the likelihood of any fine being imposed for a breach of GDPR requirements.

Data register review

Make sure you have a data register, and that it is kept up to date. The information on the register is likely to change, as the data you process changes, people accessing it change, new software is implemented, or for many other reasons. A comprehensive data register also makes life much easier when dealing with a SAR, as you know exactly what you’re looking for and where to find it.

Privacy Notices

Make sure you are issuing privacy notices to employees, workers, contractors, and job applicants, and that if things evolve in terms of the data you are handling, these are updated accordingly.

Clean data

In your data register and privacy notices, you should have given details of how long you will retain the various categories of data you hold. It sounds obvious, but make sure you are actually sticking with these retention periods. More than a year on from GDPR implementation there will be plenty of data you are supposed to have erased by now and in a busy ‘all hands on deck’ small business without any dedicated data protection staff, it is far too easy to miss deletion dates and end up holding on to data longer than you are supposed to.

Review training

Hopefully staff in your business who handle personal data will have received data protection training, either before or shortly after GDPR implementation. But training that took place between a year and 18 months ago may well need refreshing, and you may have new staff, or staff changing roles who also need training. 

Be SAR-ready

If (when) you get a Subject Access Request from a member of staff, or ex-member of staff, unless you have a process in place, it can be enormously problematic and time-consuming task. Get together a short checklist or similar, linked to the data register, so you can easily trigger a process where everyone involved knows what data they are responsible for gathering, who to provide it to, and who will be collating and responding to the request.

The overall lesson is that after what felt like a mad panic of GDPR implementation last year, it’s important not to get complacent now that other priorities have taken over – data protection is an ongoing requirement and there are real risks to your business if compliance isn’t up to scratch. 

Author: Eleanor Deem is the founder of face2faceHR and is an experienced HR professional with a background working in the private and not-for-profit sectors.


Explore related resources

These areas of the People Skills Hub will help you to address some of the issues covered in this blog:

Top