There are only two days until the General Data Protection Regulation (GDPR) comes into force, which will govern the levels of protection and privacy for all individuals. It represents one of the biggest shakeups as to how personal data should be handled.
By Paul Burrin, vice-president of Sage People
As gatekeepers and processors of personal data, HR and People teams have a crucial role to play. So, as time is ticking before the new regulation is law, here’s a check list of things you need to have actioned in preparation.
Identify why you need that personal data
As an employer, you must have a lawful basis to gather and process personal data. In most cases, this will be for lawful, contractual or legitimate purposes. For example, you may need to gather candidate contact information for communication purposes, or you may need social security numbers for tax and payment purposes.
However, in some instances, you may need to obtain consent from the individual to use the data for a specific purpose that falls outside the usual employer-employee relationship.
Action: Make sure you have clearly identified the lawful basis for all personal data you are capturing to manage data and consents accordingly.
Capture and manage consent for personal data
Under the new GDPR rules, where you process data on the basis of consent, that consent must be a freely given. In fact, it must be specific, informed and a clear indication of the individual’s wishes as shown by a statement or by a clear affirmative action. So, assumption, pre-ticked boxes, no-reply email and inactivity do not amount to consent.
Furthermore, you also need to keep a record of this consent. Consider how you will track and update consent against each data point so that if consent or circumstances change, you are able to make the necessary adjustments quickly.
Action: get consent for the data you hold, make it easy to amend when necessary and set up an action to revisit periodically whether you still need the consent.
Keep employees informed about their personal data rights
The GDPR gives employees significantly more control over their personal data so as employers you need to let them know this.
Action: Keep your employees informed. Update your privacy notice statements for all employees and candidates explaining: what data you hold on them, what you’ll do with that data, where it is stored, how long you’ll hold it and what their rights are in respect of that data.
Use self-service to manage data access requests quickly and efficiently
Employees have always been entitled to request information about the data you hold on them, but The GDPR now makes this more accessible for employees. You’ll need an efficient way of enabling employees to see their data, change it as necessary, and understand how it is being used. This is where self-service comes in.
If your workforce can manage their own data through self-service functionalities in a HR or People system, then everything is suddenly significantly easier.
This also means that you can automate processes and notifications to the HR or People team regarding changes they may have to make when personal data is updated.
Action: manage change through automation and introduce self-service functionality to your HR systems.
Ensure you can provide data in an accessible format, and delete it, if requested
The GDPR allows employees to access their personal data if they wish, and in some circumstances, have their personal data erased.
Make sure you can provide the information requested in an accessible and machine-readable format, such as CSV, and you have processes for identifying, rectifying and deleting the data in line with requests.
Some cloud HR and People systems, such as the Sage Business Cloud People system, enable you to export data in the necessary formats and to anonymize and delete data where required.
Action: ensure the data you hold is held in an accessible format and easy to amend.
Audit all personal data held on employees
Does your department have boxes of paper scattered across the office? Bringing all your data into one place doesn’t just mean getting a handle on your electronic information but understanding and auditing paper copies you might have also.
Action: Securely destroy information you no longer need or have a legitimate reason to store. Upload any necessary data you still need to retain to your electronic single source of truth, before then securely destroying this too when ready. If you retain any of this paperwork electronically, make sure you have consent to do so.
Control who has access to the data
Do you know who can access your employee data? Carry out an audit of permissions to assess who needs to access what, why and when. Remember, you may need to communicate to employees who can access their data if they request information on this, so take this into account when deciding permissions
Action: Update your permission settings for your HR or People system to ensure that only relevant HR and People team members can access personal data.
Hold data security in a single source of truth
To prepare for the GDPR, you need to securely document all the personal data you hold, including information on where it came from and who you share it with.
This is hard when your data may be currently across spreadsheets or multiple disparate systems.
Action: Introduce a single cloud-based HR and People system, this will help control the data more effectively and give you greater confidence that what you hold is accurate.
Assess suppliers for their ability to comply with GDPR
Are the systems you use fully committed to ensuring your business is GDPR ready? Sage has a proactive GDPR strategy in place and are committed to ensuring the Sage Group products are GDPR ready. We are fully committed to our customers’ success, and regularly review our products to assist with this.
Action: Engage with your suppliers to check they are ready for the regulation.