Is BambooHR UK GDPR Compliant?
Simply, yes! If anyone tells you it's not, you shouldn't trust them.
What is UK GDPR?
The EU GDPR is an EU Regulation and it no longer applies to the UK. If you operate inside the UK, you need to comply with the Data Protection Act 2018 (DPA 2018). The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR. In practice, there was little change to the core data protection principles, rights and obligations. GDPR recitals add depth and help to explain the binding articles. Recitals continue to have the same status as before – they are not legally binding; they are useful for understanding the meaning of the articles.
The EU GDPR may still apply to you if you operate in the EEA, offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA.
Download the Guide to Data Protection for a detailed explanation of the UK GDPR, which established more stringent requirements for businesses to protect the personal data and privacy of citizens of the European Union (EU) and the European Economic Area (EEA). The UK adopted this law under the Data Protection Act 2018 and it continues to control how our personal information is used by organisations, businesses and the government.
The Data Protection Act 2018 was the UK’s implementation of the General Data Protection Regulation (GDPR) to maintain the same standards as our former EU Partner Member States. It requires that all organisations in and outside of the UK that use personal information follow strict rules called ‘data protection principles. Companies are required to make sure that information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
The law governs the privacy and data protection of all UK residents and will continue to do so until it’s either replaced by either a new data protection law or repealed. On 28 June 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED). This means data can continue to flow as it did before, in the majority of circumstances. Both decisions are expected to last until 27 June 2025.
The General Data Protection Regulation has been kept in UK law as the UK GDPR
This guidance is aimed at UK businesses who receive data from, or have offices in the EU and European Economic Area (EEA). It gives a basic overview of the changes to data protection since the UK left the EU and now has an approved adequacy decision.
We have also produced more detailed guidance on Data Protection and the EU
The GDPR is designed to give consumers control over their own personal data in four main ways:
- Consent: People have the right to choose whether or not an organisation can collect their data, and if so, what data they collect.
- Transparency: People know about the data that is being collected and what it will be used for, and companies must be open about any possible data exposure in the event of a security breach.
- Access: Consumers have access to any personal data an organisation has collected about them in the past, along with the option to delete any data that has been collected.
- Security: Consumers feel confident that their personal data is being stored in a secure manner.
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- biometrics (where used for identification)
- sex life or orientation
There are separate safeguards for personal data relating to criminal convictions and offences.
What is the ICO's role?
The ICO remains the independent supervisory body regarding the UK’s data protection legislation.
The ICO will not be the regulator for any European-specific activities caught by the EU GDPR, although they hope to continue working closely with European supervisory authorities.
What's happened in the 4 years since the GDPR was launched?
Almost 48 months on and according to the Government, the GDPR has made more UK businesses increasingly resilient to cyber risks, although companies still have much more to do. In the Government’s latest annual cyber security breach survey, carried out in the final three months of 2018, 1,566 businesses were asked if they had experienced cyber security breaches or attacks within the previous 12 months. Thirty-two per cent of respondents said they had; down from the 43 per cent in the previous year’s survey, and this drop has been attributed in part to measures businesses have undertaken to comply with the GDPR.
In 2021, fewer businesses identified breaches or attacks than in 2020 (when it was 46%), while the charity results are unchanged. This could be the result of a reduction in trading activity from businesses during the pandemic, which may have inadvertently made some businesses temporarily less detectable to attackers.
Cyber risk expert Ian Birdsey, of international law firm Pinsent Masons, has stated that “while some SME businesses took limited steps to prepare for the GDPR a high proportion of those organisations were not prepared for a data breach and have never taken essential security steps either to prevent an incident, for example by implementing multi-factor authentication for systems access, or be in a position to respond to an incident, such as by activating logging”.
Despite all the progress made, only a minority of micro and small businesses have written cyber security policies or formal incident management processes in place. Most have not arranged any form of specific training, or have senior staff with particular responsibility for it as part of their job role. Conversely, GDPR has accelerated the pace of change across organisations and businesses are now seeing cyber security as a higher priority than ever before.
As for large businesses, the Government report found that more of these have board members with a cyber security brief, although it’s still a minority with a disappointing 41% not having it. Instilling better knowledge and understanding of cyber security across board members can be the difference between cyber security being treated as a fairly high priority, or a very high priority.
If you still find yourself confused and concerned about GDPR Click here to download the UK Cyber Security Breaches Survey 2021 or contact Orchard House for some advice.
Four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%).
What Is Personal Data?
When people think of personal data, they often imagine the kind of information they think identity thieves would find useful: passwords, bank accounts, medical records, Social Security numbers, and the like. That’s not wrong—all of the aforementioned pieces of data are personal data but it’s not the whole picture.
Personal Data: Identifying Versus Identifiable
In reality, personal data especially according to the GDPR is a much broader category, broken down into two types: identifying data and identifiable data.
- Identifying data is the kind of information we’ve already mentioned above: data that identifies you as an individual person, like your driver’s license number, biometric information, or Social Security number. It’s the kind of sensitive information that might by itself or in combination with another piece of trivia (like your mother’s maiden name) be used to prove or steal your identity.
- The second kind of personal data, personally identifiable data, includes almost any information about you from your email address, your age, and your occupation to your shirt size and favourite colour—all of it is personal to you, even if it can’t be used by itself to identify you individually. This also includes any information that reveals your activity or location, including electronic information like your IP address, tracking cookies in your browser, GPS signal, and cell phone data.
While there are many laws and regulations, like HIPAA, for example, that apply to collecting and using identifying information, the GDPR is designed to give people control over all of their personal data—both identifying and identifiable—and as a result, it doesn’t specify what exact data qualifies as personal data. That means organisations that collect any information whatsoever need to be extremely careful about how they collect, store and use it.
What Does UK and EU GDPR Compliance Mean for US Companies?
Many people assume that the GDPR only applies to companies with clients or physical offices in the EU. However, the law applies to any Organisation that collects personal data from UK, EU or EEA consumers, which means you don’t have to do any business in the EU to be liable; all it takes is interacting with the EU or EEA and UK residents online.
And since fines for non-compliance can be as high as 4% of your organisation’s yearly global revenue, up to a maximum of €20M, it makes sense to spend the effort on GDPR compliance.
It’s important because many UK based businesses are trying to use the law to their advantage. Our advice is simple, if a company is capable of a malicious misinterpretation of the law, you should question whether you want to allow them to look after your organisation's personal data. For further information, you should speak to the Information Commissioners Office (ICO) and they'll confirm the responsibility exists.
GDPR Compliance Checklist for U.K and U.S. Companies
As a first step, before beginning any GDPR compliance initiatives, we recommend that you seek advice from a qualified expert who can analyse your situation and suggest proper action appropriate for the type and quantity of information your organisation collects and how it uses that information. If your organisation is a government agency or deals with large quantities of personal data, you may be required to appoint or hire a Data Protection Officer (DPO) who has expert-level knowledge of data protection laws and practices.
Please note that none of the following advice is legal advice; it’s simply what we have advised our Partners after researching other expert recommendations and the official GDPR website (which, for the record, has its own compliance checklist).
1. Review, Document, and Publish Your Data Collection and Handling Practices
The GDPR requires companies to maintain an up-to-date list of data collection and handling processes. This is a good thing because the best way to know what you need to do to become GDPR compliant is to first understand:
- What data your organisation collects from the public
- Where and how do you collect that data
- How do you store and protect the data you collect
- How you use that data
Creating such a list is not only required, but it also ensures that your later efforts to verify, protect, communicate about, and allow control over personal data aren’t stymied due to an incomplete grasp of your data handling activities.
Your review should include analysing your current data to determine what types of data you already own, from whom, and how that data is stored and made accessible. For example, this might include:
- Mailing lists
- Email marketing lists
- Phone numbers
- Financial information
- Client company information
You should also document the methods and channels you use to collect personal data, which is important in order to establish consent and ensure security. This might include:
- Events or online presentations
- Active digital tracking
- Passive digital tracking
- Phone sales or online form fills
- Business partners, third-party apps, plug-ins, or contracted agents that collect data as part of their function
Most companies will benefit from assigning an individual or team of individuals to act as the central point of data management and GDPR compliance. This person or team can create a plan of action for the various departments involved and act as a liaison and single point of contact between the company and any outside agents or authorities, such as an external DPO or an EU-based data manager. This internal data management role or team can also monitor ongoing data handling efforts, ensure external communications are up-to-date and coordinate any staff training about proper data collection.
2. Verify Consent at All Data Collection Points
After full documentation of your data collection and handling practices, your organisation needs to ensure that the data you already own was collected with consent. If not, you must either remove it in a secure manner or obtain consent retroactively. You’ve probably seen this all over the place in the form of cookie consent banners on websites.
These notifications are only a part of GDPR consent compliance, one that makes a formerly invisible practice visible to consumers. But to stay in compliance, you need to acquire consumer consent in any situation where you are collecting information, whether in person or online, in a form or other entry by the public. That includes data that you collect or have collected for research, marketing, sale of goods and services, or at any other time. You must disclose how you plan to use the data in clear language, and the best way to do so is via a disclaimer in the same place as the form being filled.
The GDPR requires consent from a parent or guardian in the case of collecting personal data from children under 16 years old; the best practice, in this case, would be to provide an age verification process, even if it is just a disclaimer or verification check box acknowledging that the person is over 16.
In the case of data you’ve already collected, you should either request consent to continue using that data by contacting the data subjects or consider securely deleting all of your stored personal data, as using any data without consent would violate the GDPR.
3. Implement GDPR-Compliant Data Security Measures
GDPR compliance requires that organisations take appropriate measures to protect the personal data they collect, store, and use, from the time it is collected until the eventual deletion of that data. What is appropriate depends on the nature and amount of the data collected and the intended use, and must follow “data protection by design and by default” principles.
GDPR guidelines suggest hiring both an attorney and reputable security expert in order to define what is appropriate for your own organisation, and the measures you take should be documented in the list in step one. You should also communicate your security measures internally so that everyone is up to speed on what you’re doing and what needs to be done in the event of a security issue.
Does BambooHR Protect Your Data? You Bet We Do. Read Our Security Statement.
4. Revise and Maintain Privacy/Data Request Policies
[Pull Quote: Most companies will benefit from assigning an individual or team of individuals to act as the central point of data management.]
5. Develop a Data Breach Plan of Action
In the event of a security breach, the GDPR requires disclosing the breach to authorities within 72 hours. Outside of the EU, this means notifying the Office of the Data Protection Commissioner in Ireland.
We highly suggest creating a plan of action to deal with possible data breaches. Doing so helps ensure you are practising appropriate data security even after an event compromises your data security measures. A data breach plan might include:
- Cutting off all access to data except for security team members until the issue is discovered and security measures have been restored or updated
- Notifying stakeholders internally of what happened with a possible timeline of when it happened and how long it will take to recover
- Documenting the timeline of the event and cataloguing any data that may have been exposed
- Notifying authorities of the data breach
- Communicating to the entire organisation about the data breach, its implications, and appropriate ways to discuss it with or handle information requests from clients or the media
- Creating an official communication to send to any affected people outside the organisation
- Creating a public statement about the data breach with instructions to find further information
As far as being compliant, the GDPR requires organisations to notify anyone whose data may have been exposed “in a timely manner,” although there is no specific timeline mentioned and it is not required if the data exposed was still encrypted.
Don’t Be Afraid of GDPR Compliance
UK & EU GDPR compliance can seem overwhelming and fraught with risk for the average non-expert, and to a certain extent, it is—that’s why we recommend seeking expert advice from someone who understands your legal obligation for compliance.
Becoming UK & EU GDPR compliant if you’ve never handled data securely or collected it with consent in the past may take some serious effort. Even if you have been responsible for your data, tracking down all the areas where you need to add disclaimers and clearly seek consent can be time-consuming.