With just three months to go until the General Data Protection Regulation (GDPR) comes into force, the clock is ticking for HR and payroll managers to get the systems and processes in place to ensure compliance. The regulation, coming into effect on 25 May 2018, updates data rights for today’s networked world, and organisations ignore it at their peril.
A major infringement could cost a company up to 4% of its global revenue, while there is a penalty of 2% of global revenue if records are not in order, or a supervising authority and data subjects are not notified within 72 hours when personal data is exposed in a security breach.
Here are six things you should be doing now to prepare for GDPR:
In essence, GDPR comes down to the rights of individuals and their data and the way organisations manage and protect that data. While many of the rights are already covered in existing legislation, there are significant enhancements including the new right to erasure (commonly known as the right to be forgotten) and the right to data portability. Those in HR and payroll will need to consider payroll and employee benefits data, employee performance data and recruitment data.
It is vital to get leadership buy-in and ownership of the adoption of GDPR. Create a corporate policy – a company statement explaining how you manage employee data, such as what information is collected, how it is collected, how long it is stored for, what systems are used and how data is stored. This information has to be delivered in plain language that can be easily understood, so don’t write it in ‘legalese’ with a large disclaimer!
Make sure you can demonstrate that you have provided this to employees, for example through an intranet. Set up standard operating procedures, such as how and where employees can issue a request to access their data, how you can validate the identity of that employee and who in HR will be responsible for dealing with data requests. Create a process for checks. For example, you may need to check with legal if there is an ongoing dispute with that employee before changing data.
This is likely to be the first thing GDPR enforcers ask to see. However, you can’t protect what you don’t know you have.So, the first thing to discover is exactly where all types of data sit in the organisation. Check what software applications you have, spot potential gaps such as legacy software, consider what is used locally and what is used globally, and check for any applications currently in development versus ‘live’.
Developing an exhaustive register is not easy so start by making an inventory, but don’t go too deep – you don’t want 900 fields in payroll! Is there a centralised corporate register already in existence to which you can attach your employee data? Assign an information owner to each category of data and ensure they are tasked with keeping the register updated, with at least one review a year.
Existing regulation specifies that companies should not keep data longer than needed but there is little enforcement of this. Under GDPR, you not only need explicit consent of the person for each specific purpose for which you are using it, but also you need to be explicit about how long you keep data records – and there will be a significantly higher sanction for non-compliance. The principle is one of minimisation, or privacy by design. In other words, the default settings or processes should protect the privacy of the employee without his or her manual input.
So, clearly communicate how you will use data and define minimum and maximum retention times. Don’t forget to get this validated by your legal team, for example to ensure compliance with other employment laws. As mentioned, employees can withdraw their consent at any time, request a copy of their data and request its erasure. In HR, it’s important to consider other legal implications of this right to be forgotten, for example the need to keep records for any potential litigation.
GDPR says you have to access risks and take appropriate measures to ensure the integrity of data. So, look at your own processes and ask yourself, what could go wrong in terms of the confidentiality, security and availability of personal data? What if it were your own data, or that of your mother or best friend? Would you feel your data was safe and the procedure clear? What if you are an employee in a different geography?
Define and document all regions in which employees work. What if you work in an open environment? Think about clean desk and clean screen policies. And lead by example – this is not just an IT issue.
One of the biggest challenges is embedding GDPR principles into the culture of the business. Provide training and guidance to employees to ensure data rights protection is part of the DNA of the business. Think about the ‘small’ things. For example, how many times have you picked up printed CVs or Excel sheets before the person who printed it got to the printer? What about email? Employees need to be mindful of ‘Reply All’ or sending emails to the wrong person in their address books.
You are not alone in the data ecosystem. Make sure you challenge your HR and payroll providers to ensure they are compliant. Review agreements with third party providers and review software and the design of that software. Any reputable third-party provider, such as SD Worx, will be happy to collaborate and help you to move to GDPR compliance.