10 everyday workplace activities that will totally change under the GDPR

Published · 3 min read

On 25 May 2018, the General Data Protection Regulation (GDPR) comes into effect across the European Union, regulating how businesses should handle personal data. Businesses large and small need to get ready for this change.

However, research in March from industry analysts IDC found that fewer than half of European small and medium businesses have taken steps to get ready for the new regulations. So we have identified 10 everyday workplace activities that ought to be considered more carefully from 25 May onwards when the GDPR comes into force.

Ambition In Action

Got a burning ambition to grow your business but struggling to do so? Download this free e-book for advice from Peter Jones and business owners who faced challenges and overcame them using their business ambition.

Get your free e-book

1. Celebrating a colleague’s birthday

An individual’s date of birth is their own personal data. Under the GDPR, unless shared in a purely personal or household activity, it should not be shared without express consent by the individual. So it is worth checking that you have everyone’s permission to host a shared calendar of birthdays in the office.

via GIPHY

2. Sending office Christmas cards

If you were planning to send Christmas cards to your customers, stop right there. If that were to include someone’s home address then that is personal data so once again not necessarily permissible under the GDPR, unless you have consent of the individuals in advance.

If you do not have express consent to contact each customer, a different legitimate basis must be established for each business communication you send.

via GIPHY

3. Sharing a colleague’s baby photos

Think twice before sharing baby photos with international colleagues. All those adorable new arrivals may have to remain unseen by colleagues far away.

Personal data can only be transferred internationally if the country has been designated by the EU as providing an adequate level of data protection or by complying with an approved certification mechanism such as the EU-US Privacy Shield or by obtaining the consent of the individual concerned.

Of course, if the sharing of a baby photo is deemed a purely personal or household activity, then it can be argued to fall outside of the scope of the GDPR.

via GIPHY

4. Catering for allergies at work events

Do you have colleagues with nut allergies? Or perhaps they have kosher or halal dietary requirements? Afraid these are all classed as personal data. So before you pick up the phone to a restaurant or caterer, make sure you have your colleagues’ permission to share that information with others.

via GIPHY

5. Forwarding on a candidate’s CV for a second opinion

Not sure about a potential candidate for a role in your organisation? Tough luck – once again that will be personal data and cannot be shared with another colleague unless the sharing of their CV is with someone relevant to that role.

However, an easy way to get a second view of a CV is to anonymise it, removing name, address, phone number and any other identifiable information. This is also becoming a growing trend among businesses as a part of an approach to remove gender and race bias in recruitment.

via GIPHY

6. Ticking the box to join a mailing list

Does your website registration form have a pre-ticked box for customers to receive marketing information from third parties? You might want to rethink that come 25 May.

Under the GDPR, silence, pre-ticked boxes and inactivity will no longer suffice as consent. You may also want to read through your privacy terms online, as a request by a business for consent to use personal information must be intelligible and in clear, plain language.

via GIPHY

7. Talking politics in the office

Political opinions are part of a special category of personal information – sensitive personal data – and organisations cannot record or process data about this type of information unless it is absolutely necessary or they have obtained the explicit consent of the individual concerned.

So, that email chain about the forthcoming elections starts to look very dangerous, and should anyone forward on that email chain containing people’s political opinions, that may fall foul of the GDPR.

via GIPHY

8. Calling in sick

Health information is also part of that special category of personal information.

So, if you have to call in sick one morning because of a specified medical condition, then only the fact that you are unwell should be conveyed to others who need to know your whereabouts, rather than specifying the medical condition.

via GIPHY

9. Data auditing

Under the GDPR, an organisation needs to have a designated person responsible for data protection matters and in some cases, a company may need to formally appoint a Data Protection Officer before carrying out any large-scale processing personal data.

An individual appointed would be responsible for raising awareness of data protection regulations in an organisation, training staff and managing audits of data processes.

via GIPHY

10. Managing a data breach

If your business suffers a data hack, you’ve got to think quickly about telling people about it. Under the GDPR, if personal data is accidentally or unlawfully lost, destroyed, altered or damaged, it needs to be reported to the supervisory authority within three days.

And it’s not just the relevant authority that needs to be notified – all individuals impacted need to be informed too if it is likely to result in a high risk leading to financial loss, identity theft or fraud.

via GIPHY

GDPR: A Guide For Small Businesses

The General Data Protection Regulation has been called the biggest ever shake-up relating to how personal data about individuals can be collected, stored and used. Get your free guide and get ready for GDPR.

Get your guide

Subscribe to the Sage Advice enewsletter

Get a roundup of our best business advice in your inbox every month.

Leave a response