May 02.2018, 10.32am
6 Questions You Should Be Asking About GDPR
The EU General Data Protection Regulation (GDPR) is set to revolutionise the way that organisations process personal data so businesses need to be ready for the May 25th deadline. Of course, HR departments are at the forefront when it comes to collecting, retaining and processing personal employee data.
The introduction of GDPR will require HR leaders to completely reassess the way they approach data security and retention. Every modern company utilises personal data in some capacity. You need to know what GDPR means for your organisation, to understand what’s required and to implement the necessary changes ahead of the May deadline.
Organisations that fail to comply with the new laws will face fines of up to €20 million or 4 percent of their annual turnover. Preparation is key. Only you know how prepared you are but here are some important questions that every organisation should be asking ahead of May 25th.
1. What data is being captured?
The first step is to make an inventory of all of the personal data that you hold for everyone from employees to temps to contractors. That may seem daunting but this is why you should consider adopting a cloud-based CoreHR SaaS solution as we can help facilitate this GDPR compliance process.
You need to review the data that you’re holding, decide whether it’s necessary (legal basis for processing) and assess how easily it can be accessed. Under GPDR, employees can demand to know if their personal data is being processed, why it’s being processed and where it’s being held. Under the new GDPR legislation; employers must be able to access, correct or delete employees’ personal data upon request and produce a digital copy if asked.
2. What is the lawful basis for processing the data?
The GDPR legislation expects data controllers (employers) to have a valid legal basis for processing your employee’s data. The legislation calls out 6 possible criteria (Consent, Contractual, Legal Obligation, Vital Interests, Public Tasks, Legitimate Interest) and you should be in a position to articulate which lawful basis is being applied to data being processed. If consent is being used as the basis for processing personal data, explicit consent needs to be captured from those employees.
3. Where is it being stored?
GDPR will enhance employees’ right to access and they have the right to seek “confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.” So you need to know where the data is being stored at all times, whether it is on site or being held by an outside contractor.
This is almost impossible if you are operating a paper-based system or utilising dated HR systems that aren’t fully-integrated. A SaaS option takes the challenge out of sourcing and accessing this information, ensuring that you remain compliant and prepared for potential SARs.
4. What security and access controls are in place?
Under the GDPR regulation, any data security breach will need to be reported to the DPA and affected individuals within 72 hours, unless the data is encrypted or doesn’t identify individuals. So you need to have data breach policies in place.
Article 32 of the GDPR looks at “security of processing” standards, which covers your technical ability to protect and recover personal data.
5. What retention policies are in place?
GDPR will require more transparency from employers about data retention policies. HR leaders need to ensure that any personal data is accurate, complete and up to date under the Data Quality Principle.
You must have defined policies and procedures in place for retaining personal data. Do you currently review your records and delete unnecessary personal data? If not, you’ll need to start doing so.
Personal data should not be retained for any longer than necessary but ensure that you are meeting your legal requirements, which require certain HR records to be retained for a set period of time. Set data retention limits for ex-employees, unsuccessful job applicants or temporary workers.
6. What internal audit function is applied to the data sets?
Examine which operations and data sets will be affected by the incoming legislation. You need to fully understand the new regulations and ensure that you are constantly checking for GDPR updates. Some organisations may need to appoint a Data Protection Officer but every company should appoint a dedicated person or team to carry out a thorough internal audit.
Smarter HR technology protects your personal data, facilitates better retention policies and it ensures that your business is GDPR-ready.
Read to make the switch to Smarter HR Technology? Book a personalised demo with our experts today!
Thinking about making the switch? Learn how Cloud HR is transforming the way we work by downloading our most recent eBook today!
By David Keating