The General Data Protection Regulation (GDPR) comes up wherever you go on the web. It’s probably come up in your email inbox with companies requesting consent to keep contacting you, you’ve probably discussed it in numerous meetings, it’s everywhere. But how prepared are you?
May 25th is the GDPR deadline, only a few days way, and will essentially build on the existing data protection regulation act and impose stricter rules on how companies handle data.
When the new regulation comes into effect, the HR department will be responsible for the personal data it collects on applicants as well as current employees.
Whilst it has been announced that organisations that are not GDPR compliant will face ‘hefty’ fines, the positive side of GDPR is that it enforces good data hygiene and best practice for data management, and will help to limit or diminish risk related to data. Particularly true in the case of a cyber-attack, but also by pushing to improve the quality of the data, and therefore, the value of the data.
If you need to fast track to GDPR compliance, here are my top tips for those working in HR.
- Conduct a data audit
Review the processes and data you collect, as well as the ‘treatment’ of that data. This will help you identify where there are ‘high risks’. Personal data being shared and stored on email is one of the biggest tasks to address to become GDPR compliant. For example, a CV which includes someone’s personal information can be shared with several employees and not deleted from people’s inboxes. This exposes the candidate’s personal information.
Also, review any data that may be collected automatically, as you are equally responsible for the resulting actions of an automated process.
- Check-in with your partners
If you have data being stored and processed by partners, check that they are GDPR compliant. Unfortunately, most data breaches are due to a weakness in the organisation’s ecosystem of partners.
- Bring GDPR front of mind
When designing a new system of process, put GDPR on the checklist. Start with the data first, not the process, and determine the justification for collecting and keeping those data points. For example, in Germany you must declare your religion, as Church members are required by law to pay tax to fund the church. If an employee indicates membership to a tax-collecting religious community, the employer must withhold ‘church tax’ from their income.
Then, review the processes which relate to the data you really need, and incorporate the privacy requirements and the user rights within those processes.
- Demonstrating accountability
Businesses need to provide full transparency, including on where employee data is stored and how it is processed, making it clear who can access what data. Once the datasets are clean and the processes have been reviewed and adapted, you now must document and prove how you are compliant. This is called the accountability principle, and essentially translates into documenting the datasets (and how they comply with the data minimisation principle) and documenting your processes (and how they implement privacy requirements and allow users to exercise their rights).
GDPR has felt daunting for many, it’s a complex regulation and with companies processing thousands of data points, being compliant requires meticulous preparation. But it’s never too late to begin. It is in HR’s interest to surround themselves with experts if still feeling unsure on how GDPR will impact them.
Compliance is a process, and data protection a culture; once in place, it’s a very powerful and effective tool.