How GDPR affects your SME
GDPR replaces the UK Data Protection Act (DPA), a tired and creaking piece of legislation from the nineties that’s no longer fit for purpose in this ever-changing digital age. It affects everybody. But employers at a small or medium-sized business more than most.
Because if you get it wrong, you face a fine of as much as €20 million or 4% of your annual worldwide turnover.
What can you do to get started?
- Let the relevant people in your organisation know that the law has changed.
- Take an audit of the personal information you hold and who you share it with.
- Ensure you have the systems in place to help your business remain compliant when storing employee data.
Need more information on how to comply? Check out this list of twelve steps you can take to get ready for GDPR.
Frequently Asked Questions
When you subscribe to BrightHR, we become the data processor and you remain the data controller.
BrightHR processes the data in a way that is compliant with GDPR and other data protection laws.
For example, we will always:
- Store data local to the company that's using it.
- Encrypt the data while in transit and at rest.
- Use secure protocols for transporting the data.
- Delete data permanently from the system when you ask us to erase it.
As a data controller you have a responsibility to act on individual’s rights. For example, you will need to act on a person’s right to see what information you hold or their right to erasure. It’s your responsibility to decide whether you have a lawful right to store this data or need to remove it.
If you chose to remove one of your user’s data, we would delete all their data permanently from the system. So in summary, while our software will help you to achieve compliance, you are responsible for defining the retention policy for your data.
We conform to the ICO guidelines for breaches (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/), so we would inform you without undue delay. As the data controller you would need to inform the ICO within 72 hours of becoming aware of a breach.
We use your data to provide you with a service. We also use customer data to create aggregate statistics that don’t allow customers or employees to be identified.
We use the aggregate data to develop new features as part of the service, to plan and operate the service and for marketing purposes.
We will not share transactional or customer data with third parties. But if you’ve opted into our marketing, we will use your contact details to send you marketing material.