GDPR and HR: Staff data management

Since 25 May 2018, employers in the UK are required to comply with what could prove to be one of the most significant pieces of legislation passed in recent years: the General Data Protection Regulation (GDPR) – and it will be highly important for their staff data management.

The GDPR was developed to provide more clarity and detail around the collection, use, disclosure, retention and protection of data pertaining to individuals within the European Union. As well as seeking to give people more control over their personal data, the new rules aim to simplify the regulatory environment for businesses.

Companies operating in the UK are required to comply with the GDPR, regardless of the country’s impending exit from the EU.

To prepare for this new era, employers must have the right tools and processes in place for staff data management. GDPR and HR will be linked closely now the legislation has come into play.

Practical implications of the GDPR

In practice, the GDPR brings about a number of changes that will require employers to take a new approach to how they store, manage and use employee data.

Some of the most significant measures within the legislation, which build on the requirements under the current data protection legislation, include:

• Rights for individuals to access their personal data and supplementary information.

• A requirement for employers to be ready to provide concise and transparent information about the processing of personal data.

• The individual right to erasure, also known as the “right to be forgotten”, which entitles people to have their personal data erased in certain circumstances, such as when that information is no longer required to serve the purpose for which it was originally collected.

• A requirement for the appropriate technical or organisational measures to be used to ensure that personal data is processed in a way that ensures its security.

Penalties for non-compliance with these rules could be as substantial as 4% of global annual turnover or €20m (£17.6m), whichever is higher.

One of the most significant implications of all this change for businesses is that it is now more important than ever to have reliable technologies, solutions and processes in place to manage employee data.

So what does GDPR mean for HR departments and what does your business need to do to manage it? Here are some of the actions that could help you to understand how GDPR affects HR and keep your organisation’s data systems in shape.

Conduct a GDPR HR audit

Carrying out a thorough information audit is one of the most effective ways of ascertaining and documenting what personal data you hold, where it was collected from and who it is shared with.

A comprehensive GDPR HR audit should encompass various categories of individual employee information, including recruitment records, personnel files, time and attendance data, performance reports, training records and figures associated with payroll, benefits and expenses.

Use dedicated software

Like many critical procedures for employers, effective management and processing of data is now best conducted with specialist software, particularly for medium-sized and larger organisations. This need will become even more acute in light of the GDPR.

Implementing a dedicated people management system can give you access to the highest levels of workforce visibility and analytics, making GDPR compliance easier and more efficient.

Raise awareness

It’s important that all of the employees in your organisation – not just HR professionals and others who will be directly involved with GDPR compliance – are aware of the regulation and what it means.

Employees should be informed of their rights under the new rules and how the regulation is designed to give them ownership and control of their personal data.

Ensure data breach protocols are up to standard

Limiting the risk and impact of data breaches is one of the key goals of the GDPR. In cases where a breach is likely to pose a risk to the rights and freedoms of individuals, companies will be required to notify their relevant supervisory authority within 72 hours of becoming aware of the incident.

For many organisations, this new obligation is likely to demand a fresh, more diligent approach to detecting, reporting and investigating security breaches that threaten personal data.

Like many elements of the GDPR, this puts a greater onus on employers to make absolutely sure they are taking the right approach to data management and employee protection.

Businesses that have done their research and are managing their processes in the right way will be the best-equipped to meet the demands of this new era of regulatory compliance.