GDPR: What are the risks if you provide employee benefits?

Amba

Unless you’re a business recluse, you’ll know that the EU General Data Protection Regulation (GDPR) is looming large on the horizon. This legislation becomes enforceable on 25 May 2018, superseding the UK’s Data Protection Act (DPA) and placing the onus squarely on companies to take individual data privacy seriously – and rightly so.

Any organisation that holds personal data, either as a ‘controller’ or ‘processor’ (in GDPR-speak), will need to comply with the regulation or else face swingeing fines. Brexit or no Brexit, UK businesses must play by the EU rules.

What are the risks if you provide employee benefits?

If you offer employee benefits, every broker and provider you use will need to be GDPR-compliant. Under GDPR, you as the data ‘controller’ (or owner) may be jointly liable for any mishandling of the data by the ‘processor’, including third-party companies.

There are some significant risks involved, including:

  • sending personal employee data to multiple places, which multiplies the scale of the risk
  • staff in each organisation being unaware of the need to protect this data
  • sending personal employee data insecurely
  • sending personal employee data to the wrong people, ie using incorrect email addresses.

Failure to protect your employees’ personal data will be costly. You may need to pay for the investigation of a security breach, legal costs, or fines from the Information Commissioner’s Office (ICO). Reputational damage could also seriously harm your company.

How can you mitigate the risks?

Offering employee benefits through a reputable provider with an online benefits platform will make it easier to mitigate these risks. In a busy HR department, you will already have a lot to manage, but a single, online employee benefits solution provider should considerably reduce your workload and increase your peace of mind. For example:

  • you will only need to provide employee datasets once – your online benefits partner will then deal with all third parties on your behalf, including your health, life, pensions and other benefit providers (this is easier and more secure than managing multiple paper trails with multiple providers)
  • if your online benefits partner has their own GDPR house in order, you can relax in the knowledge that your employee data is being handled in compliance with the law
  • your online benefits partner should be able to support you to provide your personal datasets in the correct format and in the most secure, GDPR-compliant manner.

Tell employees how their data will be used

You’ll need to update your employment contracts to make employees aware that their data is being shared with an employee benefits provider. Will your online benefits partner have the HR expertise to advise you on contractual and policy issues too?

How is PES preparing for GDPR?

At PES, we’re absolutely committed to being fully GDPR-compliant. We handle personal data on behalf of 150 clients and manage data protection in strict accordance with UK law. We endorse and support the aims of the GDPR legislation and are implementing robust processes to ensure compliance by 25 May 2018.

We have our own proprietary technical platform with a dedicated IT team, which means we can more easily incorporate technical changes implicated by the new legislation. We offer our clients a secure data transfer method direct into our employee benefits platform. For non-platform transfers, we use other secure methods such as SFTP or TLS encryption.

We’ll be happy to share our knowledge, expertise and practices to help our clients use safe and appropriate data transfer methods.

Not only that, our in-house HR experts are on hand to advise on any contractual or policy issues that may be affected, ensuring best practice and a joined-up approach to GDPR-compliance.

And because we specialise in supporting organisations with up to 1,500 employees, mid-sized to smaller businesses can be assured of our full attention.

GDPR is everyone’s responsibility

Of course, every organisation that holds and processes personal data will be individually liable for ensuring compliance with GDPR. But if you offer employee benefits, or are thinking of doing so, bear in mind the importance of choosing providers who are fully compliant and have robust cyber security measures in place.

Better still, consider how a single employee benefits partner with a proprietary, online platform, an in-house broking service, HR support, and a strong track record in handling personal data, could make life easier for you.

About PES

Delivering a great employee experience is a challenge for growing organisations. At PES, it’s what we do. Our online employee benefits platform, HR support and workplace wellbeing services bring out the best in your employees – enabling your business to thrive.

Call us on 01454 808658, email us at hello@wearepes.co.uk or fill in our enquiry form.