From 25 May 2018, employers in the UK will be required to comply with what could prove to be one of the most significant pieces of legislation passed in recent years: the General Data Protection Regulation (GDPR) – and it will be highly important for their staff data management.
The GDPR was developed to provide more clarity and detail around the collection, use, disclosure, retention and protection of data pertaining to individuals within the European Union. As well as seeking to give people more control over their personal data, the new rules will aim to simplify the regulatory environment for businesses.
Companies operating in the UK will be required to comply with the GDPR, regardless of the country’s impending exit from the EU.
To prepare for this new era, employers must have the right tools and processes in place for staff data management.
The practical implications of the GDPR
In practice, the GDPR will bring about a number of changes that will require employers to take a new approach to how they store, manage and use employee data.
Some of the most significant measures within the legislation, which build on the requirements under the current data protection legislation, include:
- Rights for individuals to access their personal data and supplementary information.
- A requirement for employers to be ready to provide concise and transparent information about the processing of personal data.
- The individual right to erasure, also known as the “right to be forgotten”, which entitles people to have their personal data erased in certain circumstances, such as when that information is no longer required to serve the purpose for which it was originally collected.
- A requirement for the appropriate technical or organisational measures to be used to ensure that personal data is processed in a way that ensures its security.
Penalties for non-compliance with these rules could be as substantial as 4% of global annual turnover or €20m (£17.6m), whichever is higher.
One of the most significant implications of all this change for businesses is that it is now more important than ever to have reliable technologies, solutions and processes in place to manage employee data.
With that in mind, here are some of the actions that could help to get your organisation’s data systems into shape ahead of the GDPR.
Conduct an audit
Carrying out a thorough information audit is one of the most effective ways of ascertaining and documenting what personal data you hold, where it was collected from and who it is shared with.
A comprehensive audit should encompass various categories of individual employee information, including recruitment records, personnel files, time and attendance data, performance reports, training records and figures associated with payroll, benefits and expenses.
Introduce dedicated software
Like many critical procedures for employers, effective management and processing of data is now best conducted with specialist software, particularly for medium-sized and larger organisations. This need will become even more acute in light of the GDPR.
Implementing a dedicated people management system can give you access to the highest levels of workforce visibility and analytics, making GDPR compliance easier and more efficient.
It’s important that all of the employees in your organisation – not just HR professionals and others who will be directly involved with GDPR compliance – are aware of the regulatory changes and what they mean.
Employees should be informed of their rights under the new rules and how the regulation is designed to give them ownership and control of their personal data.
Ensure data breach protocols are up to standard
Limiting the risk and impact of data breaches is one of the key goals of the GDPR. In cases where a breach is likely to pose a risk to the rights and freedoms of individuals, companies will be required to notify their relevant supervisory authority within 72 hours of becoming aware of the incident.
For many organisations, this new obligation is likely to demand a fresh, more diligent approach to detecting, reporting and investigating security breaches that threaten personal data.
Like many elements of the GDPR, this puts a greater onus on employers to make absolutely sure they are taking the right approach to data management and employee protection.
Businesses that have done their research and prepared in advance will be the best-equipped to meet the demands of this new era of regulatory compliance.