With the clock ticking, and May 25th peeping above the horizon, the drive to achieve full GDPR compliance has picked up pace. But is your company ready? And what can your HR Department do now to make sure it is in time?
Achieving compliance to the General Data Protection Regulation (GDPR) is incredibly important, with fines of up to €20 million or 4% of global annual turnover possible. Yet despite having almost 2 years to prepare, not all businesses are yet ready. In a recent survey, 35% of businesses in Ireland admitted they had not yet trained staff in data security, while in the UK, statistics show that less than 10% of small businesses are ready.
HR has an essential role in ensuring compliance. After all, HR teams handle the sensitive information about employees every day, the very employees whose privacy is being affected.
At this critical stage, what steps should your HR department be taking? Here is a short step-by-step guide (along with some key questions to ask) you can follow to help you get on track.
- Identify What You Already Have
Employee personal data takes different forms, from contact details to pay rates to employee leave entitlements. So the first step is to make sure you know what information you have. Once this is done, you can carry out a gap analysis to see where you are and what more needs to be done. And remember, the most efficient management systems ensure everything can be quickly attained when needed, so storing data in one central area is a good idea.
- Is this data necessary?
- Is keeping this data justified?
- Are documents GDPR compliant? Like Employment Contracts, Staff Privacy Notices, Third-Party Contracts etc.
Access to all employee personal data needs to be tightly controlled, and a key part of ensuring this is appointing a Data Protection Officer (DPO). The DPO is required by the GDPR, and will report to the board.
Once the DPO is appointed, a strict list of who can have access to employee data will help to limit the chances of breaches. When you have identified them, you can set privacy controls that establish a clear procedure and full transparency.
- Does the Data Protection Officer (DPO) know his/her responsibilities?
- Who needs access to the data being protected?
- What is the data access policy and procedure?
A key issue under the GDPR is transparency, which means fully informing employees how their data is gathered, stored and used. But they must also be informed of their rights and how they can act on them. Perhaps the most important act is securing consent from employees to gather and store their data – this consent must be specific and unambiguous. There are also other rights, like the ’Right To Access’ and the ‘Right To Be Forgotten’.
Policies have to be ready to adequately handle requests to access and, with data retention now requiring justification, how to properly dispose of unnecessary or unwanted data.
- How can an employee give their consent?
- Have all employees given consent?
- Was consent freely given? Is it specific, informed and ambiguous?
Getting things wrong can have some serious consequences for the business. You also need to ensure that employees in the different departments of the company entrusted with the task of handling employee personal data are properly trained. This is especially important Legal and IT departments.
Training courses can be organized to take them through the new process carefully, with regular refresher events so that standards are maintained and any new recruits can be fully brought up to speed.
- How does staff react to a data breach?
- How does staff deal with unauthorised access?
- Are there clear procedures to follow covering every scenario?