Business owners are being warned that new data protection regulations coming into effect this week apply to their employees as much as their customers.
With the clock now well and truly counting down towards GDPR, employers are being urged to comply with rules regarding the security of staff information, including personal details such as sexual orientation and health records.
Many businesses in Wales have been getting ready for the arrival on May 25 of GDPR – General Data Protection Regulation – particularly by letting consumers know how their data is stored and inviting existing customers to opt into newsletters and databases. But experts at Robertsons Solicitors believe that fewer business owners are scrutinising the way they handle personal information about members of staff, and may be putting the business at risk as a result.
Employment lawyer Chris Barber said:
“We’ve been exceptionally busy helping our clients prepare for GDPR and have noticed something of a pattern emerging. It’s widely known that the rules are changing around how customer data is processed and stored, yet many business owners seem unaware that the regulations also apply to how they manage employee information.
“GDPR gives greater rights to employees when it comes how their details are stored, and by whom. Employers have a responsibility to let staff know what information they hold about them and how it’s stored. Do any third parties, such as accountants or bookkeepers, also hold that information? This includes sensitive information including criminal records, mental health, sickness records, sexual orientation and ethnic background.”
The new regulations expand on the Data Protection Act 1988, which GDPR replaces in the UK. Employees are given greater rights, while the penalties for non-compliance are potentially far more significant, including fines of two percent of turnover or 10m Euro – whichever is greater – for breaches of internal record keeping, and four percent of turnover or 20m Euro for breaches of data subjects’ rights or international data transfers.
Chris, the author of Law for Startup Business, added:
“We’ve been helping clients carry out audits of the information they hold and drafting privacy notices to issue to their staff. These do not have to be complicated but they do have to be clear and transparent and with sufficient detail that each employee understands what data about them is being held.
“Unfortunately, there is a great deal of confusion about GDPR, so we would recommend speaking to an employment expert in order to understand your rights and responsibilities.”