The GDPR (General Data Protection Regulation) came into force just over a year ago. At the time, there was a huge furore, but for many small businesses once the boxes had been ticked and the deadline passed, everything calmed down and compliance went down to the bottom of the priority list once again.
It’s a common attitude, according to Cathy Brode, Information Governance and Data Protection Consultant at Conformitas Consulting. From the conversations she’s been having recently, it’s apparent that many businesses still aren’t clear what GDPR means for them.
According to Cathy: “A lot of companies didn’t do anything before 25 May 2018 and took the view it was a one-off incident similar to the Millennium Bug that proved to be a storm in a teacup. But it’s not. It’s ongoing legislation, like health and safety legislation, and it has things that every business has to do to make sure it is storing and processing personal data correctly and, in particular for sensitive data, securely.”
At the heart of the legislation is enhancing the rights that individuals have about the collection and use of their personal data. And it’s important to remember that GDPR doesn’t just cover customers’ personal data, employers also need to ensure that their employee data is also properly treated and protected.
Let’s take a look at some of the issues around employee data.
How You Store Your Employees’ Personal Data
The data you hold on your employees is vital information you need while they are with you as well as for a period of time afterwards. Information such as name, address, National Insurance number and relevant medical information is just the start. There’s also the banking information you use so you can pay their salary and reimburse their expenses.
This is all highly sensitive information which needs to be kept very secure. If it was stolen, the risk of fraud and identity theft is extremely high.
When you start to think about where and how you store employee data, the risks quickly become clear. Data could be stored in an email system, on an intranet, in the cloud or with a third-party provider such as SAP Concur. Often, it’s stored in more than one place at once. How confident are you in the security of that data and the way it’s looked after?
What Happens if there’s a Breach of Personal Data?
The GDPR stresses the importance of proportionality of response.
Say, for example, an employee had been for an eye test. They’d scanned the receipt, which had their name and address details on it, and emailed it to their line manager for approval together with a completed expense claim form. When their line manager forwarded it on, they accidentally emailed it to David Brand, one of your IT contractors, rather than David Brown, your finance assistant.
The procedure in this case might be to contact David Brand, ask him to delete the file and email you to let you know he’s done it. Then, as a courtesy at least, you would email the employee to let them know what happened and what you’ve done about it. You’d then document the breach, as you must, and use it as a learning experience to consider how you could improve your processes to prevent the same mistake happening again. For example, if you were to use Concur Expense, the employee could have photographed the receipt and automatically filed an expense report in the system, and there would have been no need for anyone to email anything anywhere.
On the other hand, if there is a larger data breach you would need to report it the Information Commissioner’s Office within 72 hours of finding out about it. You’d also follow the same audit process to see what could be done to stop it happening again.
Securing Your Compliance
Compliance with the GDPR starts with an audit of your systems and processes to understand the what, where, why, when and how of the way you use and store data. If you haven’t already audited your processes, the Information Commissioner’s Office has a Data protection self-assessment toolkit. And if you’re keen to do the exercise as part of a wider risk and compliance assessment, a good starting point is How to Create a Risk Management Plan and Why You Need One.
If you’re using SAP Concur, it’s reassuring to know we’ve got your back. Our tools allow you to meet your GDPR requirements as a data controller. And they deploy the SAP Data Protection Management System, which holds BS10012:2017 Audit as confirmation of their security.
By taking the time to put the necessary procedures in place, you’re strengthening your business and protecting it from the risks of non-compliance. You’re also protecting your employees and their personal data.
If you’d like to find out how SAP Concur solutions can help you increase compliance with GDPR regulations when it comes to expense, travel and invoice, contact us.