Archive RSS
Blog  »  GDPR
17
Sep 18

Posted by
Jennie Hussey

Data Protection complaints increase since introduction of GDPR

Nearly 4 months since the General data Protection Regulation (GDPR) was introduced across all of Europe, complaints around Data Protection have nearly doubled in the UK and are up by nearly 2 thirds in Ireland.


GDPR was designed to give Data Subjects more control over their personal data, with more transparency and the threat of larger fines to those in breach of the new rules. The GDPR requires any company that suffers a data breach to notify its users/data subjects within 72 hours of the breach being discovered.


• Ireland’s Data Protection Commission (DPC), head of communications - Graham Doyle has said that ‘there has been a significant increase in the volumes of both breaches and complaints to the DPC since May 25th.’ Since GDPR enforcement began the DPC has seen monthly data breach reports double, while data protection complaints increased by 65%.

• Data protection complaints to the UK’s Information Commissioners Office (ICO) rose to 4214 in July compared to just 2310 complaints received in May before the GDPR came into force. A spokes person for the ICO said the increase was expected, as more users became aware of data protection because of publicity around the new rules and following a series of high-profile data scandals involving big technology firms.


Experts note, however that the increase does not mean that the number of data breaches has suddenly gone up, but rather reflects the full scale of the data breach problem becoming better known.
Organisations that fail to comply with GDPR can face fines of up to 4% of annual global revenue or €20 million, whichever is greater. So far none of the EU’s Data Protection Agency’s has issued any fines. Graham Doyle at the DPC said ‘It is too soon to expect to see any fines levied against organizations that have violated GDPR – given its only 3 months after it went into full effect.’

 

We will be hosting a free online webinar - ‘GDPR 3 Months On’ on Thursday September 20th at 11am, where Graham Doyle will joining us as a guest speaker.


To register for this webinar please click here.

Posted in Company handbook, Employee Contracts, Employee Self Service, Employment Update, Events, GDPR, General Data Protection Regulation

24
Jul 18

Posted by
Jennie Hussey

Back to Basics - New Employees

We often get calls into the helpline requesting basic information on HR/Employment Law queries like how to deal with new starters or when should an employer invoke the disciplinary procedures, so we will look at some basic HR topics in a series of blogs starting today with new employees.


New Employees
• A new employee is required by law, under the Unfair Dismissal Act, to receive a copy of the company’s ‘Dismissal Procedures’, which are usually contained in the ‘Disciplinary/Grievance Procedures’ of the Staff or Company Handbook, within 28 days of starting work with the company.
• Under the Terms of Employment (Information) Act 1994 the employer is obliged to furnish new employees within 2 months of starting, with a ‘Written Statement of ‘certain’ terms and conditions’ of their employment, also known as an ‘Employment Contract’.
• The new GDPR regulations specify that employers must provide their employees with information about what personal data they hold on them, for what purpose and how it was collected, who it may be shared with, what security measures are in place to keep it safe and what the employee’s rights are as well as other specific requirements. This is called an ‘Employee Privacy Policy’ or ‘Employee Privacy Notice’ and should be given to the employee as an addendum to their Employment Contract.

Based on these 3 pieces of legislation it would be best practice to provide your new starter with their Employment Contract, Privacy Policy and Staff/Company Handbook on their first day of work, if not before it. An employer can be fined up to 4 weeks pay for not providing the employee with their ‘Written Statement of Terms and Conditions of Employment’ within the 2 month timeframe, so it is best to get into the habit of furnishing the documents as soon as possible.

There is no requirement for a signature from the employee on any of these documents; however it would be prudent of an employer to request a signature from the employee or at least some form of acknowledgement or proof of the employee receiving the documents.

The new Employment Bill 2017, yet to be introduced, stipulates that a new employee should receive some details of their terms of employment within 5 days of starting with a company but it is yet to be seen whether this aspect of the Bill will get the go ahead.

Bright Contracts offers employers a simple and user-friendly system which enables them to easily create and customize all of these documents and keep an electronic record on file. To download a Free Trial click here or book an online Demo of the Bright Contracts software.

 

Bright Contracts | Thesaurus Payroll Software | BrightPay Payroll Software

Posted in Company handbook, Contract of employment, Dismissals, Employee Contracts, Employee Handbook, Employee Records, Employment Contract, GDPR, Staff Handbook

22
Jun 18

Posted by
Jennie Hussey

Privacy Policies - a GDPR requirement

One of the main principles of GDPR is that Data shall be processed lawfully, fairly and in a transparent manner, these three elements overlap and all three must be satisfied in order to demonstrate compliance.
Employers, as both Data Controllers and Processors, must be able to show how they comply with the new data protection principles and be clear and open with their employees about the processing of data and their rights. The GDPR stipulates that anywhere personal data is being collected, either directly or indirectly, Privacy Notices should be in place, these policies are critical to complying with the transparency obligations in the GDPR. So the introduction of an Employee Privacy Policy will cover the required elements and ensure demonstratable compliance in this regard.


The Privacy Policy should be written in a clear and easily-understandable format and must include;


• What data is processed – name, address, PPS no., bank details, etc.
• How it was obtained – employee detail request form, CV, ROS, etc.
• The ‘legal basis’ for processing the data – contractual necessity, legal obligation, etc.
• Who has access to it and any third parties– HR dept., payroll clerk, pension company
• How it is stored and security – HR system, Thesaurus software, encryptions, etc.
• How long it is kept for –set in company policies or statutory requirements
• The rights of the employee – right to access, rectification, erasure, etc.
• If data is transferred outside the EEA
• Contact details of Data Controller


We have recently upgraded our Bright Contracts software to include a new Employee Privacy Policy feature, so now employers can facilitate the main GDPR principle of lawful, fair and transparent processing of the employee data. We have also updated the Data Protection Policy within the Handbook and the Data Protection Clause within the contracts.


To download a free trial of Bright Contracts, click here.
To request a free online Demo of Bright Contracts, click here.

 

Bright Contracts | Thesaurus Payroll Software | BrightPay Payroll Software

Posted in Bright Contracts News, Contract of employment, Employee Contracts, Employee Records, GDPR, General Data Protection Regulation, New Features, Software Upgrade

12
Apr 18

Posted by
Laura Murphy

How GDPR will affect your employee processing

The General Data Protection Regulation (GDPR) will come into force on 25th May 2018 changing the way we process data forever. The aim of the GDPR is to put greater protection on the way personal data is being processed for all EU citizens. Personal data can be anything from a name, an email address, PPS number, bank details etc so as you can imagine employers process a huge amount of personal data on a daily basis. So how will the GDPR affect employers in terms of processing employee data?

Consent

Data in the employment context, will include information obtained from an employee during the recruitment process (regardless of whether or not they eventually got the job), it will also include the information you hold on current employees and previous employees. All this information may be saved in hard copy personnel files, held on HR systems or it could be information contained in emails or information obtained through employee monitoring.

Under GDPR your employee’s will have increased rights around their data.

These rights will include:

  • The Right to Access. It’s not a new concept that employees will be able to request access to the data you hold on them. However, there is a new recommendation that where possible employers should provide their employees with access to a secure self-service login where they can view data stored on them. This backs-up the whole concept of transparency and ease of access to data, which underpins the new Regulations.
  • The Right to Rectification. Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. This is an existing right and the onus is on the employer to ensure that your employee records are kept up-to-date. To help ensure you maintain up-to-date records, employers should make it easier for employees to update their data.
  • The Right to be informed. Employers must be very transparent with employees about what data you hold, why and how long it is held for. Up until now it has been the common practice for many employers to include a standard clause in the employment contract regarding the processing of HR Data, under GDPR that will no longer be sufficient. Employers need to be reviewing their Employee Data Protection Policies and possibly writing new Employee Privacy Policies that go into detail on the processing of employee data.

Employee self service

Under the GDPR legislation, where possible employers should be able to provide self-service remote access to a secure system which would allow employees view and manage their personal data online 24/7. Furthermore, the cloud functionality will improve your payroll processing with simple email distribution, safe document upload, easy leave management and improved communication with your employees. By introducing a self-service option, you will be taking steps to be GDPR ready.

 

For information on how long to keep on employee files please see our blog: How long should you retain employee records under GDPR?

To book a free online demo of Bright Contracts click here.
To download your free trial of Bright Contracts click here.

Posted in Bright Contracts News, Contract of employment, Employee Handbook, Employee Records, Employee Self Service, GDPR, General Data Protection Regulation

4
Apr 18

Posted by
Lauren Conway

How long should you retain employee data under GDPR?

The General Data Protection Regulation (GDPR) will come into force on 25th May 2018, legislation with new rules and guidelines on how to protect and process personal data. Employee personal data held may include: name, address, phone number, email address, emergency contact details, PPS number, bank account details etc.

The GDPR requires that when retaining and processing personal data there must be lawful reasoning for doing so. In terms of processing employee data employers are likely to rely on a number of lawful reasons, mainly: to fulfill contractual obligations, legal obligations or other legitimate interests. Under data protection legislation employee data should be kept for no longer than is necessary, for the purpose that it was retained. However, when deciding how long to retain personal data employers should be guided by employment legislation.

So how long should I retain employee data?

Written Terms of Employment – 1 year

Employers must retain a copy of this statement throughout the employee’s employment and for one year after termination at a minimum.

Payroll details and Payslips – 6 years

Records, calculations and documents relating to the value of benefits for employees must be kept for 6 years in the event of an audit by Revenue. The WRC may also inspect these in an audit and seek evidence that employees are supplied with payslips.

Hours of Work – 3 years

Details of days and hours worked each week, annual leave and public holidays taken and payment received for same. Rest break records and/or records of notification of employees being fully informed about rest break entitlement and procedures if rest break is unable to be taken.

Maternity and Adoptive Leave Records – none

While there is no set period of the retention of data on maternity leave or adoptive leave records, claims can be made within 6 months of employers being informed of an issue giving rise to a dispute or extended to 12 months in exceptional circumstances.

Parental Leave – 8 years

Records of Parental Leave, including the period of employment of each employee and the dates and times of the leave taken, must be retained for 8 years.

A more detailed list of Employee Record Keeping Requirements can be viewed here.

Where legislation gives no guidance on record keeping requirements, employers should carefully predetermine, and include in any employee privacy notice, how long and the grounds they will use for retaining that data. For example; an employer may decide to retain all performance review records for the entire duration of an employee’s employment to monitor employee performance.

Whatever the reasoning behind retaining employee data – whether it be legal or other business reasons, employers need to ensure they have a clear policy outlining their reasoning, that this is easily accessible to employees and that the policy is consistently applied.

To book a free online demo of Bright Contracts click here.
To download your free trial of Bright Contracts click here.

Posted in Contract of employment, Employee Contracts, Employee Records, Employment Tribunals, GDPR, General Data Protection Regulation, Parental Leave, Workplace Relations Commission, WRC

7
Mar 18

Posted by
Jennie Hussey

GDPR FAQ's Answered!

The General Data Protection Regulation comes into force on 25 of May 2018. It is legislation with new rules and guidelines on how to protect and process personal data. It is replacing existing data protection regulations that dated back as far as 1988 – obviously pre-dating the era of internet and social media as we currently know it. We are all having to evolve; amending policies and changing how things are done to take into account the new GDPR rules, so here are some of the queries we are receiving into our Bright Contracts support lines on GDPR which you may find useful:

Does GDPR apply to me?

If you are a company in this country, if your company is a sole trader or a limited company, if you have employee’s working for you or customer’s paying you, then you will more than likely hold some form of personal data belonging to them (i.e. a name, an address, a PPS number, a VAT number) If you hold anything that could be classed as personal data then the new GDPR will apply to you.

What is Personal Data?

Personal Data is defined as, “any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify a person.”

It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. (This is not an exhaustive list by any means) So, do you hold any of that type of information in your company? Of course you do; whether it is your clients, your customers or your employees. Somewhere along the line you will be dealing with personal data.

What rights do employees have under the GDPR?

As Data Subjects*, employees will have new and enhanced rights under the GDPR. The key rights in relation to employees include:

• The right to be informed: this emphasizes the need for transparency in how personal data is used. Employers should now be looking to revise their data protection policies and to implement new employee privacy policies outlining exactly what data is being held on employees.

• The right of access – there are amended rights surrounding an employee’s right to submit a data subject access request. A data subject access request involves an employee requesting to view all data retained on them, this will include data stored electronically and on paper files.

  • Time-frame for response has been reduced from 40 days to one month. 
  • It will no longer be permissible to charge a fee in order to respond to a subject access request.

• The right to rectification: individuals are entitled to have personal data rectified if it is inaccurate or incomplete. In fact it is recommended here that employers take steps to put the onus on employees to update their personal details should they change. For example, authorities will look unfavourably on employers who are communicating with employees through an old address having made no effort to ensure the address is correct. Employers are well advised to include a clause in employment contracts outlining the employee’s responsibility to notify the employer of a change in personal details.

• The right to erasure, also known as the right to be forgotten. The broad principle being that an individual has the right to request deletion or removal of personal data where there is no compelling reason to retain the data e.g. a legal requirement to retain employee data will always be a compelling reason to retain data.

* Data Subject: “an individual who is the subject of the personal data”.

Bright Contracts employee compliant GDPR policies are coming soon!

  • If you would like to be notified when they are complete please click here
  • For further information register now for our GDPR webinars here
  • Read our GDPR blogs  here

 

To book a free online demo of Bright Contracts click here
To download your free trial of Bright Contracts click here

Posted in GDPR, General Data Protection Regulation

8
Jan 18

Posted by
Lauren Conway

The countdown to the GDPR is on!

With less than 5 month to go before the new General Data Protection Regulation (GDPR) comes into force employers are urged to start preparing immediately if they haven’t already done so.

What is it?

The GDPR is a European privacy regulation replacing all existing data protection regulations and will come into play on 25 May 2018. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.

The GDPR applies to all businesses including sole traders that process personal data (a name, photo, email address, bank details etc.) so it is safe to say that it will affect all businesses in some way. Employers are advised to be prepared otherwise they will face fines of up to €20M or 4% of annual global revenue, whichever is greater, for non-compliance. So how can you start preparing to ensure your business is fully compliant?

Preparation

A good starting point for preparing for GDPR is to create an inventory of all personal data held and answer the following questions:

• Why are you holding the data?
• What is the legal basis for holding the data?
• How is the data obtained?
• Why the data was originally gathered?
• How long is the data held for?
• How is the data saved? Is it saved securely?
• Is the data shared with anyone else and with whom?

As the GDPR requires organisations to be in a position to demonstrate compliance with its requirements, documenting the above will enable employers to:

• Identify and gaps in compliance
• Put in place processes to rectify gaps
• Produce evidence of its compliance on the new GDPR

In preparation for GDPR you must be aware of your data protection responsibilities and ensure that all employees are aware of their responsibilities when processing data. Ensure that you have an up to date data protection/privacy policies addressing the six principles of GDPR and apply it to your organisation.

For further information register now for our GDPR webinars  here
And read our GDPR blogs here

To book a free online demo of Bright Contracts click here
To download your free trial of Bright Contracts click here

Posted in Company handbook, Employee Handbook, GDPR, General Data Protection Regulation