There’s a lot being said about GDPR at the moment so we thought we’d uncomplicate matters and keep it simple with the what, when and why of GDPR from an HR perspective.
What is GDPR?
GDPR stands for General Data Protection Regulations. It’s a piece of EU legislation that harmonises a raft of data protection laws across Europe.
The regulations apply to any company processing the personal data of European citizens, even if that firm is outside the EU. Whether you’re handling this information in relation to offering goods, services or for the purposes of monitoring people’s behaviour, these regulations apply to you.
Why is the Law Changing?
In recent years, there has been a massive shift in technology and a huge increase in the volumes of data being processed. This has impacted how we gather, store and manage data. And it has also led to rising concern amongst EU citizens with regards how their data is handled and the level of control they have over it.
The existing legislation was published over 20 years ago so it was high time for an update.
When do You Need to Meet Your Obligations?
You need to ensure you’re compliant by 25th May 2018 and on an ongoing basis thereafter. If you’re found to be in breach, you can be fined up to €20m or 4% of annual turnover, whichever is larger.
What Does This Mean for HR Data?
Employers have been required to provide staff and job applicants with a privacy notice that sets out certain information under the Data Protection Act. However, the GDPR means you will be required to provide additional information like how long you will store an individual’s data for and whether their data will be transferred to other countries.
You’ll also need to let employees know how to request a copy of their own data and how they can apply to have their personal data deleted or rectified. This means ensuring your data is labelled and stored to enable these activities to happen.
It’s important to be aware that employees can retract their consent for you to process their data at any time so you’ll need processes in place to help you swing quickly into action.
If your organisation is in the business of monitoring or processing sensitive data on a large scale, you will need to appoint a data officer. This role is in place to advise you on your obligations under the GDPR, monitor compliance and liaise with the data protection authorities.
What if I have a Data Breach?
Should you be unfortunate enough to suffer a data violation – be it through disclosure, loss or unlawful means, like a hacking incident – you must comply with the GDPR’s reporting requirements.
You will need to report specific information to the data protection authority within 72 hours. If there’s a major risk to the rights or freedoms of those employees whose data has been impacted, they will need to be notified.
All of which can cause a huge workload and significant embarrassment to your business.
What Steps Should You Take Next?
On a positive note, the GDPR isn’t there to trick businesses into falling foul of the law. It’s aim is to protect individuals’ personal data, a right that all of us are entitled to.
To protect your employees’ data, there are several stages you need to undertake:
- Audit – know what employee data you’ve got, where it is, who has access to it and what you do with it. This is a good opportunity to minimise the data you hold by questioning whether you really need it or not.
- Gap analysis – are there any holes in your data handling processes that mean you won’t be compliant with GDPR? Identifying whether it’s a necessity to retain and process each piece of data is key as is taking action to correct any issues.
- Review privacy notices – this is one area where nearly all employers will need to make changes. Update your privacy notices to ensure they’re compliant whilst also being easy to understand.
- Do your legal homework – if you currently rely on existing consent to handle employee data you will need to get employees to sign a new, GDPR-compliant privacy statement to ensure you’re legal.
- Prepare your data breach response – you need to have a written policy and process so you can take immediate action should the worst happen. This could include training employees to be able to recognise a data breach and know how to take the appropriate next steps.
- Hire your data protection officer if required – be prepared to pay as these roles will be in demand.
The technicalities of the GDPR can feel dizzying, but by taking the steps outlined in this article you’ll have a much better handle on the personal data you manage. Not only will this help you take the actions required to keep employee data and the people it relates to safe from harm, but you’ll protect your business to boot.