Making Staff Squared GDPR Compliant image

Making Staff Squared GDPR Compliant

Staff Squared date icon22nd March 2018

Tag iconTech

As of 25th May 2018, the law surrounding data protection and processing is changing. The new General Data Protection Regulation (GDPR) is a European regulation which will apply in all EU member states, and will succeed the Data Protection Act 1998 to bring data into line with previously unforeseen ways in which data is now used. GDPR will cover many areas in relation to data protection, and is being implemented to better enable individuals to control their personal data. It also places new obligations on organisations to be more accountable for the data they handle and process.

What Changes will be Introduced with the new GDPR?

Many concepts and principles of the Data Protection Act 1998 remain much the same within the new GDPR, which is good news if you are a company fully compliant of the DPA, as this means that you already have a steady foundation to expand from. Although, there are certain additions being introduced with the new law.

Some key changes outlined by GDPR are as follows:

  • Territorial scope increase, applicable to all companies that process personal data belonging to people within the European Union, regardless of the company’s location in the world.
  • Consent may be revoked by data controllers at any time, and data processors must abide by this without question.
  • Data breaches that come to the attention of any person must be reported within the first 72 hours of the issue being recognised.
  • Fines of up to €20 million (approximately £18 million), or 4% of a company’s total global annual turnover can be implemented for non-compliance.

To read more changes that will be coming into play as of 25th May, visit the ICO website:
Alternatively, see our ‘GDPR – Getting to Grips with the new Law’ blog post for more information on GDPR.

Ensuring Staff Squared is GDPR Compliant

Currently, Staff Squared stands fully compliant with the laws outlined in the DPA, and we are working tirelessly to build on the policies and procedures already in place to bring us in line with the new GDPR.

Data Retention

We are cracking down on our data retention policies, meaning that any personal data stored by Staff Squared will only be kept while it is needed for us to provide our services.

If at any time a customer chooses to close their account (or a trial account is not upgraded after it expires), we will only keep the information relating to the account for up to ninety days following its closure.

Only once an account has been closed and the ninety-day period has transpired, we may anonymise certain information and retain this for statistical purposes.

Subject Access Requests

As a very integral part of the new GDPR, there is a greatly defined shared responsibility between Data Controllers and Data Processors to ensure data security. Because of this shift in applicability within data protection law, we recognise that the ability to request access to information stored in relation to any one person must be readily available to them.

Moving forward, a new Subject Access Request (SAR) report option will be added to Staff Squared’s existing Reports page, which will allow Admin users to submit a SAR for any number of employees. We will then process these requests and collate all the required information, including personal information entered to a profile, absence records and wall posts.

Once this is complete, the Admin user requesting the SAR report will receive an email and dashboard notification, informing them that the report is ready to download along with a link to access it. This report will expire after a set period of time to ensure maximum security of the enclosed information.

Audit Trails

Similar to our pre-existing HR Audit log, we are currently working on a new, separate report option which will detail any and all actions completed by an Admin user while impersonating another user’s account.

Data Encryption

To go that extra mile in ensuring that your data is safe and protected, we are encrypting all of the data within the Staff Squared database ‘at rest’, meaning that if (in the extremely unlike event) our database was somehow compromised, the person/s would not be able to read the data in plain text, rendering the data worthless to them.

Complex Passwords

At present, the only restriction we enforce on users when creating a password is that it must exceed six characters. However, with the network of ways in which we use the internet consistently changing, people are becoming smarter and more skilled in replicating account passwords, creating a very serious data security issue; and for this exact reason, we are going to be introducing complex passwords to Staff Squared.

All existing Staff Squared users will not be affected by this change; however, if at any point they (along with new users) wish to reset their password, they will be required to set one that is consisting of a combination of different characters, and will also experience character restrictions, i.e. the use of simple patterns or number sequences.

With the implementation of complex passwords, we are able to make sure that our customers are kept safe, and their data is secure.

Two Factor Authentication

In support of the introduction of complex passwords, we are also working to implement a two-factor authentication feature to our log in process. This will require users to download an authentication app on their phones, which will generate a code to enter upon logging in to their accounts.

Accepting Terms and Conditions

If you do not clearly specify terms and conditions, you place your business in a position of uncertainty and misunderstanding – so it is vital that you are positive that your users have fully read and understood the T&Cs of the service you are providing to them. Not only does it protect their rights as a consumer, but it gives you and your company a sense of security.

While Staff Squared clearly details its T&Cs in the sign-up process, there is currently no feature that directs new users to accept these. Moving forward, we will be introducing a tick box feature, requiring all new users to confirm that they have read, understood and agree to our terms and conditions before they are able to continue with their sign-up.

ISO Accreditation and Cyber Essentials Plus

Staff Squared is already Cyber Security Essentials certified; however, we are always striving to be as secure and compliant as possible, and will, therefore, be enhancing this standard to Cyber Security Plus by June 2018. We are also currently pursuing an ISO27001 accreditation, for which we will be externally assessed in 2018.

Other Updates

Because of the ways in which society and business are continuously progressing, it is important for any company to stay on top of their policies and procedures to ensure that they are able to advance accordingly. Because of this, as well as to comply with the new regulations that will be implemented as of May, we are working closely with our legal team to update our terms and conditions, privacy policy and terms of service appropriately.

Need Further Information?

You can review our current Privacy Policy here, and this will be updated once all relevant changes have been made to ensure we are fully GDPR compliant.
If you have any questions regarding Staff Squared and our approach to processing data in compliance with the new GDPR laws, please email


The term ‘processing’ is very broad and covers an extensive list of operations that could be performed on, to or with information or data. This could include, but is not limited to, the organisation, retrieval and disclosure of the information or data. This clarifies that Data Protection law applies wherever an organisation does anything that involves or effects information or data. ‘Automated processing’ – anything on a computer.

Data Controller

A data controller dictates how and why personal data is processed. They are the decision maker; for instance, a customer or an organisation.

Data Processor

A data processor is the party doing the actual processing of the data; for instance, an IT company or a payroll services provider who are storing and processing the data provided.

The data processor tends to blindly process data in accordance with the data controller’s wishes. For example: Customers of Staff Squared are the data controllers and Staff Squared itself is the data processor.


Consent in terms of data processing, means specific and informed indication of how any data should be used and processed.

Data Breach

A breach of security that leads to accidental, unauthorised or unlawful loss, access, alteration or disclosure of personal data.

Territorial Scope

The distinction of who, what and where the new GDPR covers.

Subject Access Request

A written request from an individual to see information held on them, which must be responded to by the Data Processor within forty days of receipt.

ICO – Information Commissioner’s Office

A UK based, non-departmental public body which supplies information rights in the interest of the public.

Written by Clarisse Levitan

Lead Customer Support Agent - Staff Squared

Clarisse works as the Lead of our Customer Support Team to provide all of our customers with the very best care and guidance when using their HR software.

More from our blog

Pay only for what your business needs

  • £


    per person

    per month

  • Try Staff Squared HR FREE for 14 days. No credit card required.

How can we help?

Staff Squared Logomark Close icon

Let's get your HR started.

Tick FREE for 14 days
Tick No credit card required
Close cross
Enter your email address

Already have an account? Log in

Need help?