Are your employees emails their own affair?

July 2018

Are your employees emails their own affair?

There can’t be many, if indeed any, workplaces that don’t have open Internet access and work email accounts for their employees. But that doesn’t mean that they can send jokey emails, watch the tennis and carry out hours of social media activity without consequence. The reason for that lies largely in a case taken to the European Court of Human rights.This 2016 article from The Telegraph reports on it.

Strasbourg legal eagles made the decision that employers have the right to spy on staff’s work emails and so forth following the sacking of a Romanian engineer found messaging his fiancée on Yahoo chat. The employee in question had been given Yahoo chat for work purposes.

All of this said, there are of course caveats and considerations for the employer. Not least of which is GDPR.  As this article in the Birmingham Mail points out, as a boss you have every right to monitor your staff’s electronic communications. BUT. You must pre-warn them. You must tell your employees what monitoring arrangements you have in place and the reasons for them. No playing I-Spy without they know the rules of the game!

Are your employees emails their own affair

From an HR perspective, ACAS outlines these key points about workplace monitoring and the reasons for doing it.

  • You must, must, must, must have policies and procedures in place about workplace monitoring. And they MUST be written down. This is your golden rule.

Your policies should explain with clarity the extent – if any at all – of personal use your employees are allowed. It also needs to explain that you may well check on their computer use and what the consequences are of breaching the policy. Your policy needs to emphasise that you forbid them from sending unsuitable and inappropriate email material that relates to:

  • Gender
  • Ethnicity
  • Race
  • Sex
  • Sexual orientation
  • Religious or political convictions and 
  • Disabilty
  • This monitoring must not be excessive and it should be justifiable. You’ll need to take care if finding message that are clearly private and personal. The onus is on you, the employer, to be circumspect. Yet, if you feel this usage contravenes your policy then you must raise it with the staff member as soon as possible.


  • You should communicate to your staff what information you’re recording, why you’re recording it and how long you will keep it for.


  • Any information you collect through monitoring should be kept secure.

Anyone that’s raised either a puppy or a child will know that the best approach is three-pronged one:

  1. Firm
  2. Fair
  3. Consistent

Well, it’s much the same with the monitoring of workplace emails and Internet usage. As the contributor to the Birmingham Mail article points out – problems come about when excessive use is tolerated. In particular if inappropriate images and jokes are involved. What’s needed is a robust and consistent approach to ensure cooperation from all concerned.

And as for employees – if you don’t want a message to be read then don’t send it over your employer’s system. Simples.

If you’re an employer and this is a situation you’d like advice and support with then get in touch.  Send a message via the webform or call the office on 01793 877787.

If you’re feeling social find Go-Legal on Twitter. Or follow us on LinkedIN



The Implications of GDPR on HR and Payroll Departments

28th April 2018

The Implications of GDPR on HR and Payroll Departments

The Implications of GDPR on HR and Payroll Departments

Earlier this year we published an overview blog about GDPR questions. One thing is for sure: for every question answered more arise – if the networking session I attended this morning is anything to go by.

No-one has yet charted the GDPR waters so there’s really no such thing as a GDPR expert. That said, in this post I’ll attempt to highlight the implications of GDPR for HR and payroll staff.

GDPR is about you as much as it is about your customer

The GDPR compliance date is fast approaching. So companies and organisations of all shapes and sizes are expanding frantic efforts to make sure their external data is GDPR compliant. The chances are you’re one of them. I daresay you’re busy reviewing all your systems and processes to make sure they comply with the new rights that the new regulations gives to customers.

But: have you stopped to think that the new regulations don’t stop there? As this blog from ADP points out: ‘ … the new regulation also extends to the data you hold on your employees.’  So what does that mean to you, the HR employer. If you’re a company of a certain size, with finance, IT and operations depts. As the May deadline draws near, you must make sure that you invite HR and payroll to the party.

Be ready to respond to information requests

As the ADP blog asks: ‘If an employee wants to see all the data you have on them, how would you respond? How long would it take you to pull together all that information? Are you sure you know where it lives?’

As a HR dept you will have HR and payroll information. But have you thought about all the other data that will be here, there and everywhere. Such things as:

  • Interview submissions
  • Expenses claims
  • Sick absences
  • Special leave etc

Is this all stored in one place. Or is it, as is likely, scattered across a myriad of systems, on PC desktops, in personal folders and even in old-school physical filing cabinets?

With the strengthened rights that come packaged with GDPR your staff can ask questions.

Thus you, as HR, must:

  • Be clear on what data you hold on your employees
  • Be sure your HR systems are fine-tuned to manage the data you have in an efficient manner.
  • Prove to your employees that you have actioned their data requests.

So there might be some housekeeping to do in all those respects.

A brief look there then at the implications of GDPR for your staff.

In June 2017, anticipating all this, Cornerstone on Demand published a blog covering six implications of GDPR for HR.  

Here’s a brief summary. Use it to check you understand what you can and can’t do – and see how much or how little you still have to do.

  1. No more saving data: You can now keep personal data only for as long as necessary. So in an application process for example, you must delete the data for unsuccessful candidates, soon after the recruitment process.

Also, employees leaving the company (by whatever reason), can expect you to keep their data for a limited time period.

2.  You must target your information: Employees are only allowed to request necessary information from potential employees. For any other data collection you must obtain explicit permission.

 3. You must be accountable and transparent: From May 25th 2018, it’s imcumbent on companies to provide insight into how and where they keep and processes their employee data. Note though that employees have the right to withdraw their agreement.

4. Do not do anything with your data beyond its stated purpose: As a HR dept, not only are you limited in the amount of data you can ask employees and applicants for (see point 2), you may only use it for its intended and stated purpose.

5. The onus is on you to track data: GDPR brings with it an obligation to keep personal information current. And there’s a consequence for HR depts from that.

Record changes from such things as staff removal, job changes and so on are often retained.  But how about performance appraisals. It’s your responsibility to make sure that you have the right tools to keep the data in a suitable manner.

6. Protecting data: The whole point of GDPR is data protection. This means that you must store data in a safe and secure fashion. What’s more it must be well-organised too with only a limited amount of people having access to confidential information.

If GDPR is giving you a headache. Or you need help with any other aspect of HR policy and procedure Go-Legal HR is here to help.  Simply call  the office: 01793 877787 or the mobile number:  07801 709945.  Alternatively fill out the online contact form.  Leave a message if I’m not there and I’ll get right back to you.

Everything you ever wanted to know about GDPR – but were afraid to ask


20th February 2018

Everything you ever wanted to know about GDPR – but were afraid to ask

Unless, in recent weeks, you’ve been in entrenched in deepest, darkest jungle out of the reach of Wi-Fi you can’t fail to have heard about GDPR. So before we go any further let’s be clear on what GDPR is and try and give you some info on what you need to know about GDPR.

The General Data Protection Regulation (Regulation (EU) 2016/679) is a regulation that the European Parliament, the Council of the European Union (EU) and the European Commission will use to strengthen and unite data protection for all EU individuals. Good news for our individual privacy. But not so fab for the small and micro-business owner. Because make no mistake: doing nothing is NOT an option. Whether you have a big turnover or you make a few hundred pounds a month from your spare bedroom – it makes no difference. These new regulations apply to you. By the 25th of May 2018 you have to be GDPR compliant. So put it in your diary!

 What we have now: the Data Protection Act (DPA)

Under the Data Protection Act of 1998 you are considered compliant with regulations unless you’re found not to be. A bit like how the UK legal system assumes you innocent until proven guilty. With GDPR though you have to be overtly seen to be compliant. There’s no room even for reasonable doubt.

Why are the regulations changing?

Your GDPR questions answered

It’s a good question.

Our data is being used in ways that the old DPA couldn’t foresee: social media being a prime example. As a result, the EU has worked for four years now to bring data protection legislation into line with these modern ways of using said data. At the moment, the UK relies on the 1998 Data Protection Act – and that came into being on the heels of a 1995 EU data protection directive.  The new legislation supersedes that.

What will the new legislation do?

In a nutshell:

  • It has the power to impose tougher fines for breaches and non-compliance.
  • It gives individuals more say over what companies – of all sizes – can use their data for. It also brings in a level of standardisation to data protection rules throughout the EU.

When will GDPR come into force?

25th May 2018 marks GDPR day. From that day forth the legislation will apply in all EU member states. GDPR is a regulation not a directive. This means that the UK doesn’t have to draw up new legislation – rather it will apply automatically.

GDPR for the small business

Having got to grips with what GDPR is and the fact that no one is exempt from it, the next two most important things to remember are:

  1. GDPR applies to ANY business that is in the business of processing the personal data of EU citizens. This means it also apply to data you have of companies that are based outside the EU.
  2. Brexit changes nothing. The UK government has confirmed that current Brexit negotiations will not affect the GDPR start date. Nor its immediate running. Furthermore, it’s already confirmed that, post-Brexit, either the UK’s own law, or a newly proposed data protection act, will be a direct mirror of GDPR. So don’t go pinning your hopes on that as a way to avoid taking action.

UK Small Business GDPR checklist

This article from Simply Business, What is GPDR for small business, has stacks of information – including a GDPR checklist for UK small businesses. There’s more detail in the article but here are the main points in summary:

  1. Know your data: where it is, why you have it in the first place and how long you normally keep it for
  2. Identify whether you’re relying on consent to process personal data
  3. Look hard at your security measures and policies – the chances are they will need updating.
  4. Prepare to meet subject access requests within a one-month timeframe
  5. Train your employees, and report a serious breach within 72 hours
  6. Conduct due-diligence on your supply chain.
  7. Create fair processing notices
  8. Appoint a Data Protection Officer (DPO). 

I’ll leave you with this thought:

The chances are that your inbox has by now been flooded with training organisations offering GDPR courses. I’m reminded here of the old saying ‘A fool and his money are soon parted’. If you think doing such a course will be helpful to you that’s fine. But don’t fall into the trap of thinking it will make you GDPR compliant. It won’t.

If you feel in need of any level of advice and support with GDPR Go-Legal HR is here to help. Contact me via the web form here: Or call me on 07801 709945. If you get my answer phone leave me a message – I promise I’ll get right back to you.