GDPR is one of the biggest shakeups ever seen affecting how personal data should be handled.
In a world where people’s data is captured and used in ways, they may not even realize, the new rules on how personal data is processed will become much more stringent.
As gatekeepers and processors of personal data, HR and People teams have a crucial role to play.
There are several things HR and People leaders can do to prepare for the GDPR, but want to know an essential list of exactly what should be on your to-do list as the deadline creeps closer? We summarize the top things you can do right away to make sure you are getting your house in order.
Identify the lawful basis on which you are capturing personal data
As an employer, you must have a valid or lawful basis to gather and process personal data. In most cases, this will be for legal, contractual or legitimate purposes. For example, you may need to gather candidate contact information for communication purposes, or you may need social security numbers for tax and payment purposes. However, in some instances, you may need to obtain consent from the individual to use the data for a specific purpose that falls outside the usual employer-employee relationship. Make sure you have clearly identified the lawful basis for all personal data you are capturing to manage data and consents accordingly.
Capture and manage consent for personal data
Under the new GDPR rules, where you process data on the basis of consent, that consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes demonstrated by a statement or by clear affirmative action. So, silence, pre-ticked boxes, and inactivity do not amount to consent. Furthermore, you also need to keep a record of this consent. Consider how you will track and update consent against each data point so that if consent or circumstances change, you can make the necessary adjustments quickly. Remember that you may need to revisit your existing consents to make sure they are still valid under the GDPR.
Keep employees informed about their personal data rights
The GDPR gives employees significantly more control over their personal data – rightly so. Do you have plans in place to notify employees about the changes and their new rights? Make sure you update your privacy notice statements for all employees and candidates explaining: what data you hold on them, what you’ll do with that data, where it is stored, how long you’ll hold it and what their rights are in respect of that data. Privacy information and notices must be shared well in advance and be easily accessible.
Use self-service to manage data access requests quickly and efficiently
Employees have always been entitled to request information about the data you hold on them, but the GDPR now makes this much more accessible for employees. You will need an efficient way of enabling employees to see their data, change it as necessary, and understand how it is being used. This is where self-service comes in. If your workforce can manage their own data through self-service functionalities in an HR or People system, then everything is suddenly significantly easier. This also means that you can automate processes and notifications to the HR or People team regarding changes they may have to make when personal data is updated.
Ensure you can provide data in an accessible format, and delete it if requested
The GDPR allows employees to access their personal data if they wish, and in some circumstances, have their personal data erased. Make sure you can provide the information requested in an accessible and machine-readable format, such as CSV, and you have processes for identifying, rectifying and deleting the data in line with requests. Some cloud HR and People systems, such as the Sage Business Cloud People system, enable you to export data into the necessary formats and to anonymize and delete data where required.
Audit all personal data held by employees
Does your department have boxes of paper scattered across the office? Bringing all your data into one place doesn’t just mean getting a handle on your electronic information but understanding and auditing paper copies you might also have. Securely destroy the information you no longer need or have a legitimate reason to store and upload any necessary data you still need to retain to your single electronic source of truth, before then securely destroying this too when ready. If you retain any of this paperwork electronically, make sure you have consent to do so, in order to maintain a lawful basis for keeping it.
Tailor data access and control so only those with the permissions have access
Do you know who can access your employee data? Update your permission settings for your HR or People system to ensure that only relevant HR and People team members can access personal data. Remember, you may need to communicate to employees who can access their data if they request information on this, so take this into account when deciding permissions.
Ensure your people data is in a secure single source of truth
To prepare for GDPR, you need to securely document all the personal data you hold, including information on where it came from and whom you share it with. This is hard when your data may be currently across spreadsheets or multiple disparate systems. A single cloud-based HR and People system will help with this, so if you do not currently have one, it is time to start looking.
Establish a process for alerting relevant authorities to breaches
Hopefully, you’ll never have a data breach; but, if you do, you need to be able to act immediately – which means having a clear protocol in place should something happen. In the EU companies must notify the relevant supervisory authority within 72 hours of any breach coming to light. Along with other relevant stakeholders in your organization, decide who should take the lead on investing breaches, and establish who needs to be aware and what they’re expected to do to assist rectifying the breach and notifying the relevant supervisory authority in your region.
Assess suppliers for their ability to comply with GDPR
Are the systems you use fully committed to ensuring your business is GDPR ready? Sage has a proactive GDPR strategy in place and is committed to ensuring the Sage Group products are GDPR ready. We are fully committed to our customers’ success, and regularly review our products to assist with this.
Keep informed of the latest developments
The UK’s Information Commissioner’s Office (ICO) is continuing to issue guidance on the GDPR and what it means for organizations. It’s worth registering for updates from their website to stay up-to-date with the latest developments.
Download our ebook on the six steps to GDPR readiness for HR teams – including a comprehensive checklist to work through
As previously mentioned, preparing for the GDPR can seem a little overwhelming. At Sage, we’ve prepared an in-depth guide to help HR and People teams take appropriate steps to get ready, including a comprehensive readiness checklist. Download it to get started.