Paul Burrin, Vice President, Sage People, discusses what HR professionals need to take into account
The European Union’s General Data Protection Regulation (GDPR) came into effect last week on 25th May 2018, represents a major watershed in data protection and is set to replace all existing laws governing the protection and privacy of individuals in EU countries. As the most significant regulation of its kind in over two decades, GDPR reinforces EU’s belief that a person’s right to the protection of their personal data is a fundamental human right.
From a macro-view, GDPR not only impacts European firms, but also companies in the Middle East and around the world that handle personal data, or offer goods and services to European residents and citizens. With data breaches and infringements successfully wiping out the existence of companies big and small in our inter-connected ‘global village’, organisations in the Middle East that are transacting business with the EU and even those that are not impacted by GDPR should ensure they are aware of the new regulations.
Human Resource (HR) teams in the region, in particular, have a crucial role to play as gatekeepers and processors of personal data. As the new regulation came into effect last week, let’s have a look at a list of things you need to put in place to ensure GDPR compliance.
1. Identify why you need that personal data
As an employer, you must have a lawful basis for gathering and processing personal data. In most cases, this will be for legal, contractual or legitimate purposes. For example, you may need to gather a candidate’s contact information for communication purposes or may require social security numbers for tax and payment purposes.
However, in some instances, you may need to obtain consent from the individual to use the data for a specific purpose that falls outside the remit of the usual employer-employee relationship.
Action: Make sure you have clearly identified the lawful basis for all personal data you are capturing in order to manage the data and consents accordingly.
2. Capture and manage consent for personal data
Under the new GDPR rules, whenever you process data on the basis of consent, that consent must be freely given. In fact, it must be specific, informed and clear indication of the individual’s wishes as evidenced by a written statement or by a distinct, affirmative action. Therefore, remember in a post-GDPR era, assumption, pre-ticked boxes, no reply emails and inactivity do not amount to consent.
Furthermore, you also need to keep a record of this consent. Consider how you will track and update consent against each data point so that, should circumstances change, you can make the necessary adjustments quickly.
Action: Get consent for the data you hold, make it easy to amend when necessary, and plan to revisit periodically to assess whether you still need the consent.
3. Keep employees informed about their personal data rights
GDPR gives employees significantly more control over their personal data. Therefore, as employers, you need to let them know of their rights and choices.
Action: Keep your employees informed. Update your privacy notice statements for all employees and candidates and explain what data you hold on them, what you’ll do with that data, where it is stored, how long you’ll hold it, and what their rights are with regard to that data.
4. Use self-service to manage data access requests quickly and efficiently
Employees have always been entitled to request information about the data you hold on them, but GDPR makes this more accessible for employees. You will need an efficient way of enabling employees to see their data, change it as required, and understand how it is being used. This is where self-service comes in.
If your workforce is capable of managing personal data through self-service functionalities in a HR or People system, then everything is suddenly significantly easier.
This also means that you can automate processes and notifications to the HR or People team regarding the changes they may have to make when personal data is updated.
Action: Manage change through automation and introduce self-service functionality to your HR systems.
5. Ensure you can provide data in an accessible format, and delete it, if requested
GDPR allows employees to access their personal data should they wish to do so, and in some circumstances, have their personal data erased.
Make sure you can provide the information requested in an accessible and machine-readable format, such as CSV, and that you have processes in place for identifying, rectifying and deleting the data based on such requests.
Some cloud HR and People systems in the market today, including the Sage Business Cloud People system, enable you to export data in the necessary formats and to anonymise or delete data when required.
Action: Ensure the data you hold is stored in an accessible format and is easy to amend.
6. Audit all personal data held on employees
Does your department have boxes of paper scattered across the office? Do remember that bringing all your data into one place can help you get a handle on your electronic information and enable you to understand and audit soft copies of this data.
Action: Securely destroy the information you no longer need or have a legitimate reason to store. Upload any necessary data you still require to retain to your single electronic source of truth (or primary trustworthy official reference portal), before securely destroying this too when ready. If you retain any paperwork electronically, make sure you have the consent to do so.
7. Control who has access to the data
Do you know who can access your employee data? Carry out an audit of permissions to assess who needs to access what, why and when. Remember, you may need to communicate to employees who can access their data if they request information to do so. Therefore, do keep this in mind when making decisions to issue permissions.
Action: Update your permission settings for your HR or People system to ensure that only relevant HR and People team members can access personal data.
8. Hold data security in a single source of truth
To prepare for GDPR, you need to securely document all the personal data you hold, including information on where it came from and who you share it with.
This is hard when your data may be currently distributed across spreadsheets or multiple disparate systems.
Action: Introduce a single cloud-based HR and People system to help control the data more effectively and give you greater confidence that your data/information is accurate.
10. Assess suppliers for their ability to comply with GDPR
Are the systems you use fully committed to ensuring your business is GDPR ready? Make sure you look for suppliers who have a proactive GDPR strategy in place and are resolved to ensuring that their products conform to the new privacy regulations on a continuous basis.
Action: Engage with your suppliers to check their GDPR readiness.