Avoid the HR blame game

HR management is critical for every business and helps companies succeed in hiring the right employees for a job, keeping team members engaged, and supporting their growth and development.

So why do so many companies fail with effective HR management?

Your workers are your greatest asset. It’s important that you take care of them in order for them to take care of your business. If you don’t, it’s probable that unwanted headaches may arise.

Looking after your team may come naturally to you as a business owner or manager, but having the appropriate policies and procedures in place ensures clarity and fairness.

Without the correct policies and procedures, you can make your business susceptible to various HR issues.

An example of such a problem that Crimson Crab has had to deal with related to the apparent lack of understanding of a leave policy. Something both employees and employers must be on the same page with.

The director received a text from an employee outside of the business working hours, with a request for leave.

The employee had already booked their holiday while expecting the response from the director to be an approval.

The request was for a significant break at a busy time of year. There was an unwritten rule that all such leave should be brought up first to avoid putting pressure on other team members to provide cover.

Quite rightly, the director acknowledged the request for leave, saying they would think about it.

A little while later, the request for leave was declined, and you can imagine the discomfort and uproar this caused between the employee and their boss… not to mention the workforce too.

Some time later the employee left the company. This triggered a formal complaint via an Employment Tribunal.

Eventually, the former employee withdrew their case and didn’t lead to a ruling. However it had consumed much time, energy and money which may have been used more profitably elsewhere

A lesson was certainly learnt. And what might that lesson be?

It’s important to have a robust policy which is clear to all staff and most importantly is consistently adhered to, and applied without fear or favour in a timely way.

If it was crystal clear how leave requests and there approval worked within this particular business – which forms an important element to any company’s HR management– none of this would have taken place.

It’s essential that everyone understands the HR policies and follows the processes in place.

For more information on how to keep your HR policies up-to-date with Crimson Crab, and to avoid the horrible consequences of issues which may arise, get in touch with a member of our team today.

Data Protection Essentials

Here are 23 questions that you really should know the answers to:

  1. Do you understand what data flows through your business and record:
    • what personal data you hold,
    • where it came from,
    • who you share it with and
    • what you do with it?
  1. Have you recorded at least one of the six legal reasons for processing the data?
    • If you use consent
      • it is good consent,
      • Do you record how it has been given; and
      • Do you record and manage ongoing consent?
    • If you are relying on legitimate interests
      • Have you done the three-part test, and
      • Can you demonstrate that you have fully considered and protected individual’s rights and interests?
  1. Are you are currently registered with the Information Commissioner’s Office?
  1. Do you provide privacy information to individuals, e.g. clients, customers, employees and suppliers?
  1. Can you deal with a Subject Access Request i.e. requests from people to access their personal data within one month?
  1. Do you make sure that the personal data you hold remains accurate and up to date?
  1. Do you securely dispose of personal data that is no longer required or where an individual has asked you to erase it?
  1. Do you know what to do when someone asks you to restrict the processing of their personal data?
  1. Can someone move, copy or transfer their personal data from your system to another safely?
  1. Can you deal with an individual’s objection to the processing of their personal data?
  1. Do you know if you carry out automated decision making and if so, do you have procedures in place to deal with the requirements?
  1. Do you have a data protection policy, and demonstrate your compliance with it?
  1. Do you regularly review the effectiveness of your data handling and security controls?
  1. Do you provide data protection awareness training for all staff?
  1. If you have third parties that process your personal data, do you have a written contract with them which meets the legal requirements?
  1. Do you know the information risks you have and their business impact so that you can manage them in a structured way?
  1. Have you have implemented technical measures and policy to integrate data protection into your data processing?
  1. Do you understand when you must conduct a Data Protection Impact Assessment?
  1. Have you nominated a data protection lead, or a Data Protection Officer if you are required or prefer to? Note this role can be outsourced)?
    • If you have a Data Protection Officer have you notified the Information Commissioner’s Office?
  1. Do you champion a positive culture of data protection compliance in your business?
  1. Do you have an information security policy supported by suitable security measures?
  1. Do you record all personal data breaches no matter how trivial?
    • Can you manage and resolve them?
    • Do you know which must be reported to the Information Commissioner’s Office
    • Do you know which must be reported to the data subject?
  1. Do you know what must be done if any personal data processed by others on your behalf is transferred outside the European Economic Area?

If you don’t know the answers you really had better find out – we can help – take a look at our data protection solutions.

Why are Terms and Conditions important for my business?

Terms and conditions (T&Cs) – the small print – is understandably not the most exciting of issues for you to focus on, but they are crucial to safeguard your company and its clients.

Trusting peoples word is good, but it’s not enough if things go wrong.

What is the point in having Terms & Conditions for my business? Are they required by law? When did I last read the small print before signing on the dotted line?

Questions like these may be floating around in your head – so let’s clear up some of the negative connotations you may have when it comes to terms & conditions, and work towards building your understanding of their value.

Protect yourself

Even when your terms are written and signed, it doesn’t necessarily make them legally secure. When you are dealing with a non-business customer, according to the Gov.UK website: “A contract term and notice has to be fair to be legally binding on your customer. If it isn’t, they can challenge it – including in court if necessary.” There is also legislation which limits the extent to which one party can avoid liability through the use of exclusion clauses such as disclaimers in any contract.

Terms & conditions which are fair to your client have the power to protect your business if or when someone that has agreed to purchase your services doesn’t stick to what was originally agreed. It would be unwise to provide a service without terms & conditions with thorough but fair terms you will have more of a leg to stand on to protect yourself.

For example, if you sell something online a non-business customer gets a right to cancel the purchase for any reason within fourteen days of delivery. If you don’t tell them about that right they can have a year to cancel. You have to give a full refund including all postage charges.

Protect your clients

Whether you are operating as a B2B or B2C enterprise, nothing you achieve now would be possible without your customers. Every business needs the money to prosper – it’s economics – so why would you not want to protect your clients and reassure them in the process?

When you invest time to write your terms, place yourself in your customers’ shoes and ask yourself about how they may read and access them.

Review your Terms & Conditions

It’s best practice to review terms on a regular basis – perhaps once a year or every time you change an element of your service – make it a part of your annual plan, to ensure they continue to be robust for your business, they are fit for purpose and continue to reassure clients who purchase your product or service.

It’s also worth noting and understanding what ‘force majeure’ means. It’s written into contracts to cover situations where unforeseeable circumstances prevent a person from fulfilling a contract. So – in a nutshell – when something goes pear-shaped your business and clients remain protected.

For more information or to discuss this topic further, get in touch with our team.

Is the fitting of a video doorbell in a home used for business purposes covered by GDPR?

The short answer is “it depends”.

Here is a link to the ICO’s guidance for people using CCTV in a domestic setting https://ico.org.uk/your-data-matters/domestic-cctv-systems-guidance-for-people-using-cctv/.

The second paragraph on this page is the most important one to consider.

Here is a link to the ICO Checklist on the business use of CCTV https://ico.org.uk/for-organisations/data-protectionself-assessment/cctv-checklist/, you will need to consider this particularly if you have clients coming to your home.

Things to think about before Brexit

If you haven’t already thought about it there are some things that you will need to do to prepare your business for Brexit.

Especially if you:

  • import or export goods or services to the EU,
  • exchange personal data (including customers’ addresses, staff working hours or information you give to a delivery company) with an organisation in Europe (this includes using websites or services hosted in Europe & processing personal data from Europe), or
  • you use or rely on intellectual property (IP) protection (this includes copyright, trademarks and patents).

There is a useful step by step guide at https://www.gov.uk/get-ready-brexit-check

Copyright

To put the record straight copyright is an automatic right. Therefore when you produce a creative work you own the copyright in it There are a few exceptions so for example if you have a contract of employment, the contract will generally state that when you are employed the employer owns the copyright of material you produce at work

Copying or adapting someone else’s work is a ‘restricted act’. An adaptation is a ‘derived work’. If someone adapts your work, you still own it. There is no acceptable percentage of changes.

You have every right to object if they publish such a work when you have not given them your permission to do so. You are also entitled to reclaim any money they make from selling your work. They could seek your permission to use the work as the rights owner, however, you will be able to charge a fee and/or royalties for this.

Read more about copyright. If you would like more detailed information about copyright please ask for our Copyright White Paper.

Do we have to have a Data Protection Policy?

There is no specific legal requirement to have a data protection policy under the Data Protection Act 2018 or the General Data Protection Regulations (GDPR).  However, there are some areas where such a document could prove useful.

Documentation

The GDPR contains explicit provisions about documenting your processing activities:

  • You must maintain records on several things such as processing purposes, data sharing and retention.
  • Documentation can help you comply with other aspects of the GDPR and improve your data governance.
  • For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.

Transparency

In addition, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR. You must provide individuals with information including:

  • your purposes for processing their personal data,
  • your retention periods for that personal data, and
  • who it will be shared with

This is called ‘privacy information’. (Some businesses give this information in a “Privacy Policy” found on many websites.)

You must provide privacy information to individuals at the time you collect their personal data from them.

If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

Using Data Processors

As well as imposing a legal obligation on data controllers (the owner of the data), to formalise their working relationship with data processors in a written contract, they are also responsible for assessing that the processor is competent to process personal data in line with the GDPR’s requirements. Part of this process is to ask to see relevant documentation, such as their privacy policy, record management policy and information security policy.

Network referrals

When seeking referrals off people in my networking group, what information is safe to gather? So, let’s say, for example, I ask Bob for referrals of our ideal client. Bob knows somebody who may be interested in our service – so passes us their contact details. Is this safe?

Samuel Poole Marketing Communications Manager Syn-Star Complete I.T. Solutions

Great question, actually in Data Protection terms it is not safe to do this unless certain things are in place.

Essentially when dealing with personal information such as contact details the person who decides what to do with the information is a data controller, in this case, Bob.

The data controller has to “process” personal data fairly (processing includes passing it to a third party i.e. you). They also have to have one of six lawful reasons to be able to process the data. The most appropriate one of which in these circumstances is the consent of the data subject. This has to be GDPR compliant consent i.e. given freely, not under duress and in full knowledge of what they are consenting to.

The data controller also has to give “privacy information” explaining how the subjects data will be used. There are specific things that have to be included in this information which often takes the form of a notice, but can also be given verbally depending on the circumstances.

It is incumbent on you to check that the necessary consent is in place for the use you wish to make of the data before acting on it.

Of course, once the information comes into your hands for marketing purposes you become a data controller, in addition, you will need to comply with the Privacy and Electronic Communications Regs in relation to electronic marketing messages (phone, fax, email or text).

How long does personal data have to be stored under the data protection law?

The short answer is no longer than necessary.

Personal data will need to be retained for longer in some cases than in others. How long you retain different categories of personal data should be based on individual business needs. A judgement must be made about:

  • the current and future value of the information;
  • the costs, risks and liabilities associated with retaining the information; and
  • the ease or difficulty of making sure it remains accurate and up to date.

There are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.

The CIPD have a great resource regarding HR records which can be found here.