GDPR Compliance Checklist for Small Businesses
6th March 2018
As the implementation date for GDPR gets nearer, it’s vital that you have a plan in place for how you’re going to make sure your business is compliant. It’s no good waiting until the legislation comes into effect and then acting on it – you need to get everything ready now so that you’re compliant immediately.
Don’t panic if you’re yet to have all your new measures setup, or if you don’t know what you need to do. This checklist will help you make sure that by 25th May 2018, you’re totally equipped to handle it, by detailing the steps you should start to take.
Understand your data
The first thing you need to do is understand the data you handle. What details are you storing about your customers, clients, employees (past and present) and suppliers? What elements of that data could be considered sensitive (religious views, medical details etc) and require special treatment? Where does the data come from, how do you store it, and what do you use it for?
If you’re ever audited on your data, these are the first questions you’re going to be asked. And if you don’t know it inside out, then you’re going to fail compliance tests. So, make sure you spend the time now familiarising yourself with your data.
Evaluate your consent policies
If your data requires any consent, then you need to make sure that this consent is clear and explicit. While this could apply to several scenarios, the common one will be marketing – if you contact customers via email, direct mail, SMS or any other channel, you need to be able to demonstrate that you have their consent.
Where it states that consent must be clear and explicit, this means you must be clear on what a customer is opting into receive, and you can’t use any tactics to try and gain that consent that could be considered underhanded – including even having consent boxes pre-ticked. Ensure you’ve got clear consent from anyone you market to, and if you can’t prove that you do, consider asking your database to opt in again.
Understand how to deal with access requests
Anyone whose data you hold will have the right to request access to that information. You need to be capable of responding to that request in a reasonable time. Generally, you’ll have a month to reply, but if the request is particularly complicated, you can extend this by a further two months (providing you can explain why it’s complicated, and that you notify the person requesting the data of the extension within that first month).
So, make sure you’re ready. Ensure your data is in order, and that you’ve got the required admin staff to be able to handle and process these requests. You may want to appoint a member of your team to be responsible for all data requests, making sure they’re trained to reply correctly.
Invest in encryption
You’re responsible for the data you hold, which means if you’re cyber-attacked and your data is stolen, it’s you who is liable. Under GDPR you have to demonstrate how you store data and show that it is safe.
That’s why investing in encryption software may be a wise investment. It’ll help keep your data secure and show any auditor that you take data safety seriously.
Write and publish fair processing notices
Under GDPR, you need to display fair processing notices. When an individual gives you their data, your fair processing notice should tell them why you’re holding it, what you’re going to do with it, where else you may send it, and how long you’ll be storing it for.
It’s a good idea to get ahead and write these notices now, so you can publish them before the deadline date. Even if they aren’t a current requirement, the sooner they’re live the better, and it helps show your clients or customers that you’re trustworthy too.
Have a clear out of old data
One of the stipulations of GDPR is that you only store data as long as you need it. So now’s the perfect time to audit your own data and see what you’ve got saved that you know you’ll no longer need. There’s no need to be over-zealous – if you think you may need data then keep it – but destroying any old and unnecessary data now will ensure you’ve less to audit in future, and that you’re already showing you’re compliant.
Check your supply chain
Unfortunately, it’s not just your business that needs to be GDPR-compliant. You also need to check that any suppliers or contractors aren’t breaching the regulations either. If they are, and they pass data to you that isn’t safely stored or hasn’t been consented to record, then you also become liable.
So, check whether your suppliers are also paying GDPR the right attention and acting to make sure they’re compliant. Also review your contracts with them now – make sure that any liabilities for their own data failings don’t impact your own business.
Train your staff
Finally, especially in a small business where you may not have a dedicated Data Protection Officer or specific admin team who deal with data and requests, you must make sure your staff are trained in what GDPR means and what your business needs to do to remain compliant.
Start planning training sessions now, to make sure all key staff are aware of their responsibilities with data. It’s vital that they’re up-to-speed when the legislation comes into effect, so that they don’t mis-use data and get your business into trouble. They also need to be aware of how to report data breaches or process mistakes, and who to.
Don’t put off the checklist
As you can no doubt tell from this checklist, you aren’t short of action to take before the deadline for GDPR coming into effect. And you’re rapidly getting shorter on time. Follow these simple steps without delay, and you can make sure you’ve no compliance issues when the laws change.
GDPR and Staff Squared
5th March 2018
Over the next few months the noise over GDPR will finally reach a crescendo. For the uninitiated, “GDPR” stands for “General Data Protection Regulation” and it goes into effect on May 25th of this year.
We’ve documented a full list of questions and answers for how Staff Squared accommodates the changes GDPR legislation brings in to play.
GDPR is designed to protect how personal information of EU (European Union) citizens is collected, stored, and shared. The regulation should also improve transparency as to how personal information is managed by a business or organization.
Staff Squared fully expects to be GDPR compliant when May 25th rolls around and we thought we’d share our experience along the way. We’ll start with this post as an introduction to GDPR. In future posts, we’ll dive into some of the details of the process we went through in meeting the GDPR objectives.
GDPR – helping us to help you
To ensure we are GDPR compliant, Staff Squared has assembled a dedicated internal team, engaged expert legal counsel, and consulted with other tech companies on best practices. While it is a sizable effort on our part, we view this as a waypoint in our ongoing effort to secure and protect our customers’ data and to be transparent in how we work as a company.
In addition to the various operational and technical changes now underway, we’re also undergoing the internal operational improvements required to be both CyberSecurity Essentials Plus and ISO 27001 accredited. More on that to come in future posts.
We’re making these changes because we believe in security by design. We feel it’s important that this attitude and culture is equally something that our customers pay attention to.
We can spend hundreds of thousands of pounds on the security of our systems, but we can’t stop one of your employees writing their Staff Squared login on a note stuck to their computer monitor. We will of course provide tools such as two factor authentication which you’ll be able to take advantage of, but ultimately we’re as secure as our customers allow us to be. Humans are typically the chink in the armour when it comes to security.
Why GDPR is Important?
At the centre of GDPR is the protection of Personally Identifiable Information or “PII.” The definition for PII is information that can be used stand-alone or in concert with other information to identify a specific person. This includes obvious data like: name, address, and phone number, less obvious data like email address and IP address, and other data such as a credit card number, and unique identifiers that can be decoded back to the person.
How Will GDPR Affect Your Staff Squared account?
The various changes we’re going to make to Staff Squared are relatively straightforward and we’ll publish information about those in the coming weeks. However, our terms and privacy agreements will change significantly to take GDPR requirements in to account. The clauses we add will be generally consistent across all GDPR compliant vendors and are meant to be easily understood so that a customer can easily determine how their PII is being collected and used.
Common GDPR Questions:
Dozens of customers have contacted us about GDPR and its impact on their business, Staff Squared or the world in general. Here are some of the more common questions we’ve received to date:
- GDPR will only affect citizens in the EU.
Answer: The changes that are being made by companies such as Staff Squared to comply with GDPR will almost certainly apply to customers from all countries. And that’s a good thing. The protections afforded to EU citizens by GDPR are something all users of our service should benefit from.
- After May 25, 2018, a citizen of the EU will not be allowed to use any applications or services that store data outside of the EU.
Answer: False, no one will stop you as an EU citizen from using the internet-based service you choose. But, you should make sure you know where your data is being collected, processed, and stored. If any of those activities occur outside the EU, make sure the company is following the GDPR guidelines.
- My business only has a few EU citizens as customers, so I don’t need to care about GDPR?
Answer: False, even if you have just one EU citizen as a customer, and you capture, process or store data their PII outside of the EU, you need to comply with GDPR.
- Companies can be fined millions of dollars for not complying with GDPR.
Answer: True, but: the regulation allows for companies to be fined up to £20 Million or 4% of global revenue (whichever is greater) if they don’t comply with GDPR. In practice, the feeling is that such fines will be reserved (at least initially) for egregious violators that ignore or merely give “lip-service” to GDPR.
- You’ll be able to tell a company is GDPR compliant because they have a “GDPR Certified” badge on their website.
For all the noise and confusion surrounding GDPR, the regulation is reasonably well thought out and addresses a very important issue — people’s privacy online. Creating a best practices document, or in this case a regulation, that companies such as Staff Squared can follow is a good idea. The document isn’t perfect, and over the coming years we expect there to be changes.
In summary, GDPR changes are coming over the next few months. Staff Squared has our internal staff and our legal counsel working diligently to ensure that we will be GDPR compliant by May 25th. We believe that GDPR will have a positive effect in enhancing the protection of personally identifiable information for not only EU citizens, but all of our Staff Squared customers.
How to Respond to a Subject Access Request
13th February 2018
With the fast approach of the new General Data Protection Regulations (GDPR), you are most likely overwhelmed by the information you are having to work through to make your business GDPR compliant. You’re probably wondering; what is a subject access request, how do I address it and how does it affect me as a small business? Let’s answer these questions!
Any individual has the right to ask an organisation to see a copy of any and all information held about them. This is known as a subject access request. An individual’s right to access does not end there though. Any person who submits a request in writing (and where applicable, pays a fee) is entitled to be informed of any personal data being processed, provided with a description of such data, the reason/s for it being processed and whether the information will be passed on to third party companies or organisations. They also reserve the right to be supplied with a copy of any such data, including the source of the data where this is available.
Data subjects are also entitled to request information regarding the reason/s behind any automated decisions, except where this information is strictly confidential.
You can read more about automated decisions in data processing here: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/automated-decision-taking/
Find out how to deal with a subject access request for information by using the Information Commissioner’s Office’s Subject Access Request Checklist:
Before you can do anything with a new subject access request, you must ensure that you have everything required to process the request.
- Has the data subject provided the relevant information you require to locate the data they are after?
- Have they provided sufficient information to verify their identity?
- If applicable, has the data subject included the appropriate fee?
There may be a possibility that you will have to contact the data subject on receipt of the subject access request, as they may not provide all the relevant information required to continue.
It should go without saying that when you are dealing with people’s personal data, confidentiality is key. That is why ensuring you are satisfied that the person requesting the information is who they say they are before you make any form of disclosure is of the utmost importance.
You should take reasonable measures to obtain verification of the data subject’s identify without seeming obstructive. You will find that most people will be happy to answer simple security questions or provide a form of identification in return for knowing that their personal information is protected.
Proving identity is usually fairly circumstantial. In a lot of cases, you will find that proof of address via photo ID or a signature would be sufficient verification.
In some instances, you may have to request further verification of the data subject’s identity. In this situation, you will have two options. Contact the data subject via telephone or in writing.
- Telephone – call the data subject and ask them two security questions based on the information you hold on them.
- In writing – contact the data subject requesting they send a photocopy of a form of photo identification (passport or driving licence). However, keep in mind that this will prolong the process, and there will be a chance that the data subject will not hold forms of ID.
Generally, you should aim to respond to a subject access request as promptly as possible; and always within 40 days of receiving a valid subject access request. This time scale includes weekends and public holidays. You should calculate the date on which the data subject should expect the information by, and inform them of this straight away.
Once you are happy that the subject access request is valid, and the data subject is genuine, you will need to find the information that has been requested and ensure that you follow the correct procedure.
To begin, you will need to search your company’s records in order to locate the information required about the person who has made the request. This could involve searching a range of locations, including files, emails and computer drives.
Not all personal information is liable to be disclosed. Rigorous screening is required to ensure that no unsuitable data is being released.
Screening of information should be performed on a case-by-case basis for each individual piece of information that has been requested by the data subject. There may be certain circumstances where you will only be able to release parts of a particular document. See ‘Exemptions’ for more information.
It is important that you check that the record is actually related to the person who is requesting this information. There will be many occasions where you have a list of data subjects who all have the same name. You might also come across documents that mention the person by name but are not actually about that person, so accuracy is of the utmost importance here.
Some types of personal data are exempt from the right to be requested for subject access, so cannot be obtained by data subjects. If an exemption applies, you will not be required to disclose the information it relates to. If the exemption only covers part of the information, you should follow this instructions below.
Read more about exemptions here: https://ico.org.uk/for-organisations/guide-to-data-protection/exemptions/
If you happen across information that reflects negatively on the company (for example, documents that display incorrect procedures being carried out), you must disclose the data as requested.
You may not destroy or withhold information that you deem unfavourable to your company. This is a criminal offence if enacted after receipt of a subject access request.
Under no circumstances should any information that would prejudice the prevention or detection of a crime be disclosed. This information can be disclosed if the case has been closed.
Any records that contain advice from lawyers, requests for legal advice or were written as part of obtaining legal advice should not be disclosed at any time.
- Print document, or photocopy if it is a paper record.
- Blank out any exempt information using a black marker pen.
- Photocopy the blanked out document and send the copy to the data subject requesting the information.
- Highlight any exempt information in black and save this as a separate copy.
- It is possible that the highlighted sections can be removed electronically, so print the document and to send to the data subject.
Where there are duplicate records (i.e. emails which include previous correspondence), make sure that you only print out the most recent document.
You should never disclose information about third parties. Any information that relates to more than one individual, including the data subject requesting the subject access, should be screened accordingly. Where blanking out information is not possible, the third party’s consent should be sought. If this is not possible to obtain then the information should be withheld.
Once you are satisfied that you have correctly completed these steps, and have compiled all relevant data requested by the data subject with any exempt information screened and blanked out, you should write to the applicant with all data eligible for disclosure. In the event that any information cannot be disclosed, an explanation of this should be provided.
Paper trails are a must when you’re running a business. Keeping a step-by-step record of any process or transaction allows anyone to recreate the action taken from beginning to end, which can protect you against any wrong doing, and provides you with undeniable proof that you followed laws and procedures.
Procedures will vary between organisations, but the standard process for recording subject access requests is to create a file per request and assemble:
- Copies of all correspondence between you, the data subject and any third parties.
- A record of any telephone or written communication between you and the data subject used to obtain identification verification.
- A record of your decisions and how you came to them.
- Copies of all the information sent to the data subject.
If you require further in depth information in relation to subject access requests, the ICO website is always being updated in accordance with changes to the law.
Data Subject – An individual who has personal information or data held about them which is being processed or otherwise used by a company or organisation.
Automated Decision – Deciding solely by automated means, without any human involvement. For example: a website uses algorithms and auto credit searching to provide and immediate yes/no decision on an application.
Processing – The term ‘processing’ is very broad, and covers an extensive list of operations that could be performed on, to or with information or data. This could include, but is not limited to the organisation, retrieval and disclosure of the information or data. This clarifies that Data Protection law applies wherever an organisation does anything that involves or effects information or data. ‘Automated processing’ – anything on a computer.
Right to Access – Data subjects hold the right to request and obtain confirmation from the data controller as to whether personal data concerning them is being processed, and for what purpose. Data subjects also have the right to request an electronic copy of the personal data, free of charge.
GDPR – Getting to Grips with the New Law
13th February 2018
The law surrounding data protection and processing is changing. Are you ready for the new GDPR regulations which are coming into effect as of 25th May 2018?
Out with the Old – the Data Protection Act 1998
The current legislation relating to data protection is the Data Protection Act 1998. It is defined on legislation.gov.uk as ‘an Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.’ (www.legislation.gov.uk/ukpga/1998/29/introduction).
The original Data Protection Act can be summarised in the following statement:
You (a company) must only “process” “personal data” in accordance with data protection principles (unless an exemption applies).
The Internet, and the world, has progressed significantly in the last 20 years, leaving the rules around how businesses collect and process personal information lacking in many ways. Furthermore, the Information Commissioners Office (ICO) – the enforcer of the policy and law related to the DPA – do not have sufficient “teeth” to enforce fines on companies that disregard the rules and suffer breaches of data.
Unfortunately, many well respected big-name companies have leaked millions of records with little material repercussions or significant fines. The vast number of instances of important data breaches show just how many ways data can be put at risk.
Just six months ago, in July 2017, global information solutions company, Equifax, reported a major cybersecurity breach effecting 143 million consumers in the US, and some 694,000 UK customers. The breach saw information such as social security numbers, addresses and financial information revealed and stolen.
Carphone Warehouse have only now been fined £400,000 by the ICO after a data breach was confirmed in 2015, where the personal data of over 3 million customers and 1,000 employees was gained unauthorised access to during a cyberattack.
Other companies who have been compromised in recent years include Nationwide, Wonga and even HM Revenue and Customs! You can read a list of companies here: https://www.techworld.com/security/uks-most-infamous-data-breaches-3604586/
It’s uncomfortable reading, to say the least!
It is clear that companies are not doing enough to secure individuals’ data. This being said, the new GDPR legislation is not just to catch up to the internet of 2018, but to ensure that companies of all sizes have better clarity on how they process and protect data. The repercussions if they do not are increased considerably.
In with the new! The General Data Protection Regulation (GDPR) and why it exists
The EU (of which we remain a member, for now) has set down new rules for how data should be managed by all businesses, regardless of their size or nature.
General Data Protection Regulation (GDPR) is a directly effective European regulation which will apply in all EU member states, and will supersede the DPA to bring data into line with new, previously unforeseen ways that data is now used. It introduces tougher fines for non-compliance and breaches, and gives people more say in what companies can do with their data. It also sees consistency of data protection rules throughout the EU, regardless of where the data is processed.
Elizabeth Denham, head of the ICO, stated that GDPR “brings a 21st century approach to the processing of personal data”.
As previously mentioned, the UK still currently remains a part of the EU. Article 50 (which began set into motion the process of the UK leaving the EU within 2 years) was only triggered in March 2017, meaning that the GDPR takes effect before the legal consequences of the Brexit vote, and the UK must still comply with the new regulations.
What exactly does the GDPR change?
The scope of the law remains unchanged. It still covers all automated processing of personal data held on structured paper files, but with the fast approaching implementation of GDPR, it now has a wider applicability to cover.
Under the defunct DPA, data processors were not as liable in cases of data breaches as data controllers. GDPR sees that processors hold an equal amount of liability as controllers do. Data processors must ensure that all relevant contracts between themselves and data controllers are updated to incorporate new data processing terms set out in the GDPR.
Data processors are required to abide by rules to maintain records of their processing activities; however, the responsibility of ensuring the processor adheres to data protection law lies with the data controller.
While the current data protection law is only applicable solely within the EU, the GDPR requires any organisation based outside of the EU who are selling goods and services to, or monitoring the behaviour of, individuals within the EU, to also be fully compliant with the new regulations.
So, what happens if you don’t get GDPR right?
As the applicability of the law on data protection is tightening, it goes without saying that the implications of being non-compliant will too.
Any person/s who become aware of a data breach that risks people’s rights and freedoms have a responsibility to inform their data protection authority within 72 hours. This is called a breach notification.
If you are found to be non-compliant to the GDPR:
- Enforcement by the ICO, including;
- Warnings and reprimands,
- Temporary or permanent bans on data processing,
- Order to rectify, restrict or erasure data,
- Suspension of data transfers to third parties; and,
- Fines of up to €10 million, or 2% annual global turnover (whichever is higher) OR €20 million, or 4% annual global turnover (whichever is higher).
- Compensation claims.
- Negative publicity.
To Summarise – The GDPR change in a nutshell
GDPR covers a vast number of areas in relation to data protection and processing. These new regulations are being implemented to enable individuals to better control their personal data. The new law brings a 21st century approach to data protection, and expands the rights that data subjects hold over how their information is collected and processed. It also places new obligations on organisations to be more accountable for data protection. This article outlines the fundamentals of what you need to know about the new regulations that will apply from 25th May 2018.
For further information, visit: https://ico.org.uk/for-organisations/data-protection-reform/
A Glossary of useful GDPR terms
The term ‘processing’ is very broad, and covers an extensive list of operations that could be performed on, to or with information or data. This could include, but is not limited to the organisation, retrieval and disclosure of the information or data. This clarifies that Data Protection law applies wherever an organisation does anything that involves or effects information or data. ‘Automated processing’ – anything on a computer.
A data controller dictates how and why personal data is processed. They are the decision maker; for instance, a customer or an organisation.
A data processor is the party doing the actual processing of the data, for instance, an IT company or a payroll services provider who are storing and processing the data provided.
The data processor tends to blindly process data in accordance with the data controller’s wishes. For example: Customers of Staff Squared are the data controllers and Staff Squared itself is the data processor.
Consent in terms of data processing, means specific and informed indication of how any data should be used and processed.
A breach of security that leads to accidental, unauthorised or unlawful loss, access, alteration or disclosure of personal data.
The extent of the area or subject matter that something deals with, or is relevant to.
The quality of being relevant or appropriate.
Right to access
Data subjects hold the right to request and obtain confirmation from the data controller as to whether personal data concerning them is being processed, and for what purpose. Data subjects also have the right to request an electronic copy of the personal data, free of charge.
Right to be forgotten (Data Erasure)
The right to be forgotten entitles data subjects to have their personal data erased or halt the processing of the data. This includes the data no longer being relevant and the data subject removing consent. Controllers are required to compare the data subject’s rights to “the public interest in the availability of the data” when considering such requests.
Data Protection Officer (DPO)
Data Protection Officer appointment is mandatory for all public authorities, and some private companies. A DPO has formal responsibility to ensure that organisations are fully data protection compliant. The role includes informing and advising an organisation and its employees of their data protection obligations under the GDPR, monitoring the organisation’s compliance of the GDPR and to serve as the contact point for data subjects on privacy matters.
Privacy Impact Assessments (PIAs)
PIAs are a useful tool organisations can adopt to identify the most effective and efficient way to comply with and meet their data protection obligations. An efficient PIA enables organisations the ability to establish and correct problems at an early stage.
Privacy by design
The inclusion of data protection from the onset of the of the designing of a system, as opposed to an addition. Outlined by Article 23, controllers must only hold and process data that is necessary to complete its duties (data minimalisation), and limit access to personal data to those who are processing the information.
A method of overwriting information to completely destroy all history of any electronic data held on a hard drive or other digital media.
Why it is Important to Show Appreciation at Work
5th January 2018
On average, people spend more of their time whilst awake at work. With so much of our lives taken up by our jobs, it’s so important to make sure that we’re happy whilst we’re doing it. A happy employee is a mentally healthy employee, who will work harder and be more loyal to the company.
A big part of that happiness is feeling appreciated in their work. If they don’t know that they’re appreciated, they aren’t going to be happy, and you’re going to end up with serious problems further down the line.
What can happen if an employee feels under-appreciated
Firstly, anyone who doesn’t feel like they aren’t valued isn’t going to be working as hard as they can. Regardless of how professional they may be, it’s impossible for someone to work in the best way possible if they feel that way. You’ll have a team that may be doing fine, but will never excel, which will only cause your business to stutter and plateau rather than grow.
Then there’s the issue of the environment. It’s very easy for an “us vs them” attitude to develop in the workplace between management and employees. Employees know that managers get paid more, but they still feel like their hard work is what’s fuelling their salaries. Showing appreciation can stop this divide from becoming a toxic issue.
Finally, there’s the issue of staff retention. The grass may not always be greener, but that won’t ultimately stop an employee from leaving for pastures new if they don’t feel their work is being appreciated by their manager. If you hire good staff, you’ll want to keep them, so making sure they understand how important they are is key to building a strong team in the long term.
Ways to show appreciation to your employees
Showing appreciation to your employees begins with simple pleasantries and manners. “Please” and “thank you” go a long way to showing that you believe your team deserve to be treated with respect. Make sure you go a step further when thanking them though, and be specific in what you’re thanking them for. It makes for a more genuine gesture, and shows that you’re paying attention to the work that they’re doing. Also, set this as a standard you expect from your team – colleagues should be treating each other in the same way.
Be careful not to stray too far into saying thank you for everything they do though. You’ll lose credibility if it sounds like you’re saying it for the sake of being nice. It’ll quickly lose meaning if you’re saying thank you with too much emphasis too often.
Another way to show that you appreciate your employees is to take an interest in them. Again, it’s all about being genuine – ask how their weekend was, and try to remember the most important parts of their lives – family names, hobbies etc. That way when you speak in future and show you’ve cared enough to remember these details, you’ll demonstrate you care about your employee.
Encouraging social interaction amongst your team, and providing for that, will also help to grow that sense of value. This could be something as big as a Christmas party, where you hire a venue and pay for food, drinks and entertainment. It may be something as small and simple as bringing in a selection of treats to say thank you for completing a project. It doesn’t have to break the bank, but if it does break the day-to-day with a reward, then it can make all the difference to your team.
On the subject of finances, offering a monetary incentive to your team is one of the most straight-forward, and effective, ways to show appreciation. This may take the form of an end-of-year bonus, or a regular salary review. It could even just be a gift voucher as a one-off. It depends on what your business can afford to offer, but an employee who’s told they’re getting money because they’ve done good will always feel significantly happier.
You may also wish to consider a regular award, whether these are annual or perhaps an employee of the month. These give you the chance to highlight an employee for special praise, and they encourage employees to push that little more to try and put themselves in the frame for the award – especially if there’s a token reward attached to it. The downside is that, depending on the format of the award, you can leave non-winners feeling less appreciated, so it’s one to play carefully.
Finally, consider how you can offer training opportunities and ultimately a path of career progression within your business. If you show that you can trust your employee with extra responsibilities, through new training courses or from the added pressure of moving up the ladder, then you’re showing that you highly value their contribution. Trust and appreciation go hand-in-hand, and trusting an employee with a more demanding workload – as long as it’s not too demanding – can guarantee that sense of appreciation.
The problems with fragile egos
With most of your employees, the tips in this article will keep them happy throughout their time with you. However you may have one or two employees who will continue to feel under-appreciated, despite your best efforts. This may be down to a number of reasons, from insecurity to simply having ideas above their station.
How you handle with these people will vary, but ultimately remember to keep a balance, so that you don’t treat these employees in a more favourable way than others, and come to terms with the fact that you may ultimately just have an employee that can’t be pleased. Always work with them to try and find a solution, but don’t beat yourself up if you know you’re doing the right thing.
Keeping the appreciation going
By making sure that your employees feel appreciated, you can help to grow a team of responsible workers who are prime for promotion opportunities in future. Simple techniques can mean the world to your team, so long as you keep the professional balance so that appreciation always feels truly earned.
Do Staff Appraisals Work?
5th January 2018
Staff appraisals are a great way of managing staff morale, helping to develop your workforce and highlight the areas where you have strength in your team but also areas where you may need to fill a gap, either with training or by taking on someone new. But appraisals only work if handled in the right way, with a clearly defined process and a positive approach with everyone bought in.
What is an appraisal?
An appraisal is a performance review, carried out at a regular interval – often annual or twice-yearly. It’s the opportunity for employee and employer to look back at the performance of the employee against agreed targets or objectives, and to set out new objectives for the coming period.
Appraisals are not a legal requirement, but it is widely viewed as best practice to implement them in your business. Appraisals may be carried out purely as a record of achievement, but often they are linked to a rewards scheme, such as pay reviews.
Who should have an appraisal?
There’s an old school of thought that appraisals are only really suited to ‘white collar’ employees, i.e. those based in an office setting. More modern thinking is that it’s better to be inclusive of everyone – to avoid creating an “us vs them” culture. Every employee, regardless of their role, can have objectives or processes against which they can be judged, and it’s vital that you’re fair by giving everyone the same opportunities to discuss their performance.
Appraisals suit any business too – they shouldn’t just be the reserve of mid- and large-sized businesses. Indeed, small businesses can often carry out a more effective appraisal system, as senior management are more likely to know each employee better, and can therefore deliver a more honest and meaningful appraisal. Plus, within a small business, it can help each employee to know their potential progression path, so they can see how they can grow as the business does.
In terms of who carries out an appraisal, it is often best that it’s an employee’s line manager. The benefits of this are two-fold: the manager likely knows the employee better, and it helps to develop the experience of the manager too. The alternative, where a more senior member of management carries out an appraisal, can make an employee feel more valued as they feel they’re getting access to, and attention from, more senior staff. What may work best is a joint approach – an appraisal carried out by a line manager, but signed off with comments from more senior staff.
What are the benefits?
The purpose of an appraisal is to show an employee where they are doing well, and also where they can improve. By highlighting strengths, you can show employees that you recognise their contributions, and then by looking at weaknesses you can identify where training is needed to help the employee to grow and become more efficient. This can also identify potential promotion pathways, giving the employee something to work towards.
The other major benefit of an appraisal is improved communication. It gives the employee valuable time to share any ideas, concerns or other opinions in a structured environment, and it improves their morale by giving them dedicated time with a manager that’s all about them.
Provide training to your managers
A manager can’t be expected to deliver effective appraisal meetings without any kind of formal training or experience. It’s therefore vital that you offer at least some written training on how to complete the appraisal form you create for your business. What would be better would be to hold training sessions with the chance for managers to carry out mock appraisals, and to compare notes to ensure consistency across the business when people are being reviewed or scored against criteria. This will help ensure you don’t have some managers judging people more harshly than others, which can be a killer for morale once employees start discussing their results.
Implementation is key
As appraisals take place often months apart, it can be easy for them to slip. Also, some managers may be reluctant to give their employees appraisals, due to time constraints or even just a fear of carrying out a formal performance review.
If you’re going to implement appraisals in your business, you need to make sure everyone is fully bought in, and that you can trust your managers to deliver them regularly as needed. All of the benefits are undone if they start to become irregular, or not everyone gets one, and the negative impact on morale can be catastrophic.
Giving employees the opportunity to appeal
Whether your appraisals are linked to reward – financial or otherwise – or they’re simply to help employee development, it’s important to have a clear appeals process in place should employees need it. An employee may feel they’ve been unfairly judged or reviewed, either due to disagreements with their manager (which are sometimes unavoidable) or because of some evidence that they’ve not previously made anyone aware of.
Ensure that, as part of your appraisal scheme, you have a clearly defined appeals process that makes it simple for an employee to challenge their report, and set out the steps of what action will be taken so that each employee is confident they’re being listened to.
How the appraisal should work
Managers should book in an appraisal meeting with advance warning, so the employee can prepare. They should be given a considerable amount of time, at least an hour, so that the employee feels they can share all their thoughts comfortably.
Give the employee a self-assessment form in advance. This will help them to prepare their thoughts and feelings, so that the meeting is more structured, and they get the chance to share all their views, rather than those they can remember on the spot.
During the interview, there’s a chance that the employee may be nervous. Make sure that the seating is comfortable, and you conduct the interview in a relaxed manner. Also, ask open questions that encourage them to talk, rather than those that simply need a “yes” or “no” answer. Leave silences – the employee will fill them.
Once the meeting is complete, you should complete an appraisal report and allow the employee to sign it to confirm their agreement with the plans you’ve put in place. This should be recorded, as it’ll serve as a good comparison for their performance in their next appraisal.
Making staff appraisals work
Staff appraisals do work – they have a number of benefits to both employee and employer. But that’s only if you give them the attention they deserve. Put formal appraisal procedures in place, and monitor managers to make sure they’re carrying out appraisals with staff, and you’ll reap the reward.
Staff Squared Product Update: January ’18
29th December 2017
Happy New Year! You may have noticed we had a quiet 2017, and didn’t put out as many updates as you may have become accustomed to. That’s because we’ve undertaken huge amount of preparatory work for all the amazing enhancements you can expect form Staff Squared in 2018. The list of improvements we can now make is huge, so for now we’ll tease you with the top three highlights:
- A new responsive user interface for Staff Squared making it even easier to use and navigate
- A renewed focus on keeping your business safe, compliant and ahead of legislation. GDPR is a key component of what we’re working on here, but we’re going to take helping you stay compliant to a new level with some of the features we’re going to provide
- Bigger, better and more dynamic reporting that is infinitely customisable
On top of all this behind the scenes work we’ve still managed to get some smaller updates out to you this month.
NEW! Ability to select which events are pulled through to your synced calendar
Until now it wasn’t possible to customise your calendar feed, and if you synchronised Staff Squared with Outlook, Google Calendar or your preferred calendar it was an all or nothing affair.
You can now select which events from your Staff Squared calendar, will show in your synced calendar. For example, you might decide to only synchronise holidays to your external calendar. Neat!
NEW! Ability to filter terminated employees from reports
Sometimes you only wish to include current staff in your reports but until now this wasn’t possible. It’s now possible to run various reports excluding ex-employees.
Wishing you a very prosperous and healthy 2018. Expect to hear from us with more exciting updates soon!
How to Minimise Workplace Negativity
21st December 2017
Whether it’s one disruptive voice amongst the masses, or a group of disengaged employees who are unsettling the wider team, negativity in the workplace can cause serious issues if it’s not addressed. Letting any negativity fester will only mean that it’ll eventually spread amongst your workforce, causes problems with morale and productivity that could ultimately be disastrous.
Examples of negativity in the workplace
There are many forms of negativity within the workplace that you need to look out for. It can be common, for instance, for employees to simply not get on with each other. Most of the time, people will work professionally alongside a colleague, but sometimes a more brash or less mature employee will make their dislike of another public. This can quickly develop into either arguments or, if one employee is less confident, bullying. Either should be a major concern.
Potentially worse is where you have a group of upset employees. This may be a close-knit team that loses morale when one of their number is singled out for criticism, or treated in any way they deem unfair. Or it could be that a process or a business decision has made the whole group feel hard done by. Depending on the size of this group, and their popularity within the office, you may have a serious issue with negativity in these situations.
Or another example could simply be selfish employees who generate negativity through either being lazy, or by trying to guarantee their own success at the expense of others. If someone’s viewed as not pulling their weight, or they’re acting deceitful to try and make themselves look better, it can make the wider team very disgruntled.
One of the easiest ways to overcome negativity is to improve communication. Start with how you communicate with the team and set a good example. It’s important that you’re professional and courteous, but also honest.
Keep the team updated with the business. You don’t need to reveal sensitive information, but just making sure your team are in the loop on progress and any changes will have a big impact. It stops gossip, and encourages a positive and open atmosphere where everyone feels included and valued.
If the problem with negativity is between two employees, get them communicating in the right environment. This is likely to be a formal meeting, with an impartial adjudicator. Make both parties aware that the meeting is happening, as you don’t want to surprise them by dragging them into a potentially hostile situation. Remember you don’t need to make them friends, as long as they can work together professionally without impacting their work, or that of their colleagues.
Building a team
If there’s negativity between employees or teams, or you’re worried about cliques forming within your workplace, it’s worth looking at how your teams are structured. It may be that you need to simply redefine your internal structure, to get the right people onto the right teams with the right managers to help develop their attitudes.
If it’s more about creating team spirit, then you may wish to consider teambuilding activities. These can sometimes be a little cliched and, if handled incorrectly, make things worse if your employees don’t engage with the planned activities.
Instead, make sure you play to the personalities of your team to find something that they’ll learn from, but also enjoy. If it’s an experience that challenges them but that they also find a bit of fun, then you’ll see them forming much closer bonds a lot quicker.
Providing adequate motivation
When understanding why employees begin to feel negative, you may find it’s down to a lack of motivation. People want to feel valued and rewarded, and if you’ve not established a clear path to that recognition then employees can begin to feel like they won’t ever achieve success.
This doesn’t always have to be a financial reward. Yes, employees will be looking to be paid well and will hope for salary increases during their time working for you. But for most workers there are different motivations. It may be that they just want to see the fruits of their labour, and how their work drives the overall success of the business. Or it could be that they wish to develop more personally.
Make it clear what you’re willing and able to offer your employees in exchange for their hard work. If you can get them bought into your vision, they’ll be a lot more positive as they strive to see their own success.
Processes to prevent negativity
There are some simple processes that you can put in place to help identify and prevent negativity before it becomes a large issue. Make sure you’re speaking to your employees regularly and keeping communication channels open. You don’t need to speak to each employee individually, but ensure they have regular catch ups with their line managers, and offer appraisals where they can be evaluated but also raise any concerns they may have.
If an employee is leaving your business, set up an exit interview. These are extremely valuable for identifying any issues which could be causing negativity within your workplace, as people are more likely to be honest and reveal problems when they’re on their way out of a business. Make this as relaxed as possible to encourage honesty from the outgoing employee.
Finally, make sure you’ve got a robust policy for managing employees out of the business if they’re being unnecessarily and consistently negative and disruptive. You can’t sack an employee based on their personality, but if you collect enough evidence of their behaviours you can begin following your disciplinary procedures to issue warnings that can eventually, if required, get them out of your team.
Don’t dismiss negativity within your workplace as an issue with personalities straight away. Assume there is a problem and use it as an opportunity to make changes and show your workforce that you’re receptive to feedback. But sometimes an employee will simply be difficult and impossible to manage, so make sure you’re prepared to deal with these situations too.
Staff Squared Product Update: December ’17
1st December 2017
The holidays are fast approaching and everyone is feeling very festive at Staff Squared HQ.
This months release includes bug fixes, and the following new features.
NEW! Ability to select which events are pulled through to your synced calendar
NEW! Ability to filter terminated employees from reports
Employee Recruitment Strategies
28th November 2017
As your business succeeds and grows, you need to make sure your team grows with it. Making sure that there’s enough people on your team to handle the increase in workload is vital for maintaining that upward trajectory, and for keeping the morale of your team high. But hiring new employees can be a tough task to get right.
You need to bring in the best talent available, without overspending, and making sure that you’re both well-suited to each other as an employee and a job role. Here are some of the things to consider when looking at an effective employee recruitment strategy.
Finding talent to recruit
First things first – who’s going to be looking after the recruitment process? Ideally in the long term, you’d have a dedicated in-house recruiter or even a whole recruitment team, but for many businesses this isn’t viable due to their age or size.
You can hire recruitment agencies to help find the new employees for you, but this is expensive and they aren’t always reliable. It’s not uncommon to hear stories of completely unsuitable candidates being put forward for interview by lazy recruitment agencies who don’t know how to find the right people. So relying solely on an agency isn’t the right way to go.
Instead, use a mix of different channels. You can list the job yourself on numerous job websites, like Indeed, Reed and TotalJobs. Advertising on LinkedIn is easy too. Also make sure you add the job role to a relevant landing page on your own website. It may be that you don’t currently get the right traffic to encourage people to apply direct, but it’s best practice and as your brand grows you’ll want to be able to take advantage of people coming to you, rather than you having to go find them.
One tried and tested method of finding new talent is by offering a referral incentive for your current employees. Even a portion of what you’d be paying a recruitment agency can be a huge financial reward for your existing team if they’re able to recommend people for your vacancies. Of course, it also makes sense to put checks in place to stop this from being exploited, such as only paying out after the new employee has passed a probationary period to prove they are well-suited to the role.
Finally, consider the job description. Putting a job description together can be a chore if you aren’t comfortable with that style of writing, but don’t be tempted to just find a template option from the internet. You need to attract people to apply, and a boring, run-of-the-mill job description packed with formal jargon will not appeal.
It doesn’t need to be too far the other way – wacky job descriptions aren’t likely to be taken seriously. Instead, just be clear on the role, on the values of your business, and as many of the benefits as you’re prepared to agree in advance. Salary is a sticking point, but if you want to leave room for negotiation then at least add a salary bracket.
The interview process
When you’re ready to interview a selection of candidates, you need to work out how you’re going to structure the interview process. How many stages will it consist of? Will all the interviews be face-to-face, or will there be an initial telephone interview to help whittle down the field and save time for those who aren’t suitable?
Also pay close attention to the interview questions you’re asking. A structured interview with more questions helps to show that you’re prepared and professional, which will in turn make you more appealing to applicants who show similar skills and traits. But ask too many questions and you risk leading the candidates too much, and not giving them time to develop their answers.
In terms of atmosphere for an interview, you should try to make it as relaxed as possible. The goal isn’t to try and trip up the candidates, making them more anxious so that they reveal secrets. Instead, you want them to open up and be honest, so try to help by being friendly and encouraging back and forth chat around your questions.
Throughout the whole interview process, you should be considering the main skills and personalities that you’re looking for. Personality is hugely important, which we’ll cover more below, but remember that you can teach job skills a lot easier than you can teach a new personality. If someone doesn’t have the perfect experience that you’re looking for, but they feel like the right person for your business culture, then perhaps they’re the best option.
Building a cohesive team
When you’re putting together a team, it can be a tricky balance to find people that work exceptionally well as a unit. Finding individual hard workers isn’t the challenge, but creating that team dynamic can be. This is why it’s so important to spend part of your interview process on personality, and not just experience and skills. You need to be able to work out how a new employee will fit in.
And it’s not as simple as finding someone that the current team will like. That strategy – of finding a collection of like-minded people – is fine, and will keep morale high. But this will often result in a team that’s not well-rounded, has consistent skill gaps and even slightly reduced productivity.
Yes, there are certain broad personality types that fit job roles well. Confident, outgoing people work well in Sales, creative types work well in Marketing, that sort of thing. But dig a little deeper and you’ll find the talents that push a team further – the slightly introverted team member may be your workhorse who gets tons done, while the more extroverted might be better at taking a step back to view the bigger picture and identify problems others might miss.
Build a team with a complementary mixture of personalities and you’ll be rewarded with a true team who can cover each other’s weaknesses, play to each other’s strengths and develop together.
Make use of all these tactics, from finding potential candidates to the interview process, and taking a considered approach to building a team, and you’ll find that the employees you do recruit will stand you in good stead for continued growth.