Data protection laws are changing and even if you are a small business, you need to be aware of them and be prepared for them!

GDPR will cover every area of your business as it will apply to all personal data held on a ‘data subject’. This includes data you hold on your clients, prospects, suppliers and of course your employees.

We have written a series of blogs to help you navigate through GDPR for HR. While our blogs will focus on HR data, the principles outlined can also be applied to other areas of your business.

But let’s start with the basics… What is GDPR….?

GDPR stands for the General Data Protection Regulation. GDPR is being introduced by the European Union to strengthen the laws surrounding data protection (and personal data). GDPR will come into force on 25th May 2018.

GDPR will bring the law up-to-date and more in-line with current technologies. Quite simply, back in 1998 (when the Data Protection Act came in), technology was completely different. Computers were in their infancy, no-one shopped ‘on-line’ and no one had heard of Facebook! In the years since the Data Protection Act, technology has changed our world beyond recognition – and so the law surrounding personal data needs to be updated.

However GDPR is not confined to digital data. It also covers good old fashioned paper files and data kept in your filing cabinets or desk drawers!

GDPR also brings with it much tougher fines – up to 4% of annual turnover or 20 million Euros in the event of a serious data breach or non-compliance. It will also give individuals a much greater say over how their personal data is used and stored by an organisation.

To comply with GDPR you need to have an understanding of the key principles and rights which  we will cover  in our blog series.  But to start with, here is an easy road map to help with navigating towards GDPR compliance. We will be covering all these areas on our subsequent blogs:

1.   Understand the key principles of GDPR and the new rights granted on data subjects (these are your employees from an HR point of view).

2.   Understand what data you keep and process (creating a register of the data you keep). You also need to know, who has access to data, where you keep it, why you keep it and for how long.

3.   You can then compare what you currently do against the principles and rights and make changes to your working practices, policies and procedures as may be appropriate.

4.   Identify an acceptable legal basis for keeping the data (as set out in the GDPR).

5.  You also need to know what you will do if there is a breach to make sure this is recorded and reported correctly.

6.  Finally – keep everything under review – check that any changes to working practices and new policies are being adhered to so you remain compliant. This will include making all employees aware (e.g. through training) about GDPR…

An important note about data breaches… The fact is that the majority of breaches will be the result of some human intervention. So while IT security is important, it is just as important, if not more, to raise awareness of GDPR amongst your employees. If they can relate to GDPR  (e.g. how would they feel if their personal data was used inappropriately or if sensitive data was not secure, if someone committed fraud using their personal data – like taking out loans or shopping on Amazon using their details?) then they are more likely to consider how they handle personal data for others. This cultural change is probably the most effective way to ensure you comply with GDPR.

In our series of blogs on GDPR for HR, we will take you through the road map. Our next blog will look at the GDPR principles and the new rights granted on employees.

If we can be of assistance please do not hesitate to contact us on 01702 216573 or email me at

Useful Links

The information commissioner – Telephone number: 0303 123 1113

(Regulation 2016/679/EU)