To what extent will HR policies and procedures be affected by GDPR, which comes into force on 25 May?
With so much attention given to the marketing and IT departments when it comes to GDPR compliance, it’s easy to overlook the other parts of the business that will be impacted. HR is probably one of the most affected areas in a business, as the new rules apply to employee information as well, not just customers. GDPR is about the regulation of all personal data, and HR departments have a lot of it.
GDPR requires you to identify the lawful basis for processing data. This would normally be consent, i.e. the person agrees for their data to be processed. But GDPR complicates this when it comes to employee/ employer relationships. Under GDPR, consent has to be freely given, and not as a condition for another service, such as a job. Due to the imbalance in a relationship between the employee and the employer, it is not clear that relying on consent would hold up under GDPR. Consent can also be withdrawn at any time under GDPR, and without a fallback ready, processing activities would need to stop.
New anti-bribery training from VinciWorks
Anti-Bribery: Know Your Deal drops users into immersive scenarios to test their knowledge, understanding and ability to uncover risks of bribery in their working life.
Despite the UK Bribery Act having come into force in 2010, bribery is still a hugely problematic issue in corporate life. Billions of pounds of fines are levied every year and frequent reports hit the headlines of investigations and prosecutions from the US Department of Justice and UK Serious Fraud Office.
Bribery cases have ensnared some of the world’s largest companies, biggest sporting bodies and most powerful politicians. The propensity for some people to act corruptly might never change, but our approach to training and compliance can.
In Anti-Bribery: Know Your Deal, users face a set of realistic characters and scenarios from all walks of life, some of whom may be trying to offer, or ask for, a bribe. It is up to users to assess each situation and decide on the best course of action based on company procedures and the law.
Demo the course
“We don’t do marketing.” “We already comply with the DPA.” “We outsource our IT.”
Does the legal sector need to worry about GDPR?
These are all bedtime stories some in the legal sector have been telling themselves about GDPR. The truth is, like any business, the legal sector must be ready for GDPR-day in May. There’s a lot of evidence to suggest it isn’t.
Law firms are both controllers and processors of their client’s data, meaning there are quite a lot of rules that must be followed. Current data collection methods, particularly consent, must be reviewed before May. It’s crucial to review the conditions for processing data and identify the correct legal basis. Some conditions, like consent, may not be valid for all processing activities after May.
With GDPR day fast approaching, Director of Best Practice Gary Yantin and Director of Course Development Nick Henderson discussed the steps businesses should take to prepare. This was the first in a series of webinars on the topic of GDPR. You can download a recording of the webinar and the accompanying slides by clicking the button below.
How do you ensure that your staff undertake the training most relevant to them? How can experienced staff learn at their own pace and avoid just repeating the basics? VinciWorks’ two new gamified courses, Anti-Bribery: Know Your Deal and Anti-Money Laundering: Know Your Risk, allow users to “test out” and demonstrate their mastery of the subject matter quickly.
How does “testing out” work?
In VinciWorks’ latest anti-money laundering course, users gain extra points by reviewing additional reading material
When completing these courses, users can jump directly to the scored scenarios and achieve the required number of experience points by answering everything correctly. Staff who answer incorrectly or who feel more comfortable reading background material first can choose to review the additional material and accrue enough experience points to complete each module that way.
Does your organisation have an up-to-date gifts and corporate hospitality policy in place? Are you able to easily register any gifts you receive or give? Having an up-to-date gifts and corporate hospitality policy in place will help you comply with your responsibilities under the Bribery Act and other anti-corruption legislation.
What should be included in a gifts and corporate hospitality policy?
The purpose of such a policy is to ensure that your organisation and its employees comply with the anti-bribery and corruption policy, bribery laws and best practice in combating corruption in all of the countries and business areas in which you operate. The policy should complement your organisation’s bribery and corruption policy. Here is some guidance on what the policy should include.
Despite the UK Modern Slavery Act coming into force in 2015, there are still millions of slaves around the world
UK report finds that almost 50% of FTSE 100 companies do not meet the minimum requirements set out by the Act
The second annual report on large companies’ efforts to ensure there is no modern slavery in their supply chain reveals disappointing results. The report shows that only 57% of the FTSE 100 companies are meeting the minimum reporting requirements set out by the UK Modern Slavery Act. It also reveals Marks & Spencer, Sainsbury and Unilever as the best performers, with Hargreaves Lansdown, Paddy Power Betfair, Pearson and Worldpay shamed as the weakest. With the UK seemingly a long way from solving the issue of modern slavery, this blog examines why modern slavery is still a problem today and what businesses are doing to tackle the issue.
Will continuing to send marketing emails put your business at risk of breaching GDPR?
Do the General Data Protection Regulations (GDPR) mean you can’t send any more marketing emails?
JD Wetherspoons, the UK’s largest pub chain, hit the industry headlines last year when it decided to delete its entire marketing list. GDPR has injected a sense of impending doom into email marketers worried that carefully cultivated lists will need to be trashed come GDPR day.
This is not the case. GDPR does not prevent direct marketing taking place, nor does it mean your lists have to be deleted and collected again from scratch. However, it does mean marketers have a greater responsibility in processing personal data, and some issues around consent to market may have to be looked at.
VinciWorks adds Subject Access Request module to GDPR course
GDPR Myth #2: GDPR requires you to delete all of a person’s data if they ask
VinciWorks has published an e-book warning businesses about the dangers of the gig economy.
Compliance Risks and the Gig Economy takes businesses through the potential legal minefield of using gig economy apps for business purposes. From renting a room through Airbnb, buying a service on UpWork or hailing a ride on Uber, when a business interacts with the gig economy, it can have a knock-on effect across compliance areas from employment law to equality to modern slavery. Most recently, already-under-fire Uber has recently been exposed for concealing a massive global breach of the personal information of 57 million customers and drivers in October 2016.
Prime Minister vows to crack down on those taking advantage of workers
Theresa May recently promised to overhaul the rights of millions of workers in the UK. The crackdown, regarded by one business group as “the biggest shake-up of employment law in generations”, includes the PM’s pledge to clamp down on firms using unpaid interns, quadruple fines for non-compliant organisations and launch a “naming and shaming” list of the worst perpetrators.
Millions of brits working independently
With around 14 million Brits taking part in some form of independent work, whether traditional freelance or through a new gig economy app, the potential compliance risks range from equality and discrimination to tax evasion, modern slavery, and even data protection.
Does GDPR require businesses to delete all data upon an individual’s request?
The right to be forgotten is one of the key innovations of GDPR, but it’s not exactly a new right, nor is it absolute. It developed in European law in the aftermath of an important court case known as the Google vs Spain ruling. In 2010, a Spanish citizen complained about an outdated court order against him appearing on Google search results. The European Court of Justice agreed this infringed on his right to privacy and ruled that individuals have the right, under certain conditions, to ask search engines to remove links with personal information about them where the information is inaccurate, inadequate, irrelevant or excessive.
The right to be forgotten has been enshrined in GDPR as the right to erasure. This is slightly more encompassing than the original Google vs Spain rules, giving an individual the right to have their personal data erased and prevent it being processed in specific circumstances.