GDPR is upon us: if the consequences of not using data transparently weren’t already blindingly clear thanks to the flood of emails you’ve probably been getting about it, the recent media frenzy around the Facebook/Cambridge Analytica story has brought the subject home with stark clarity.
No matter your business size, sector or function, the new regulations that come into force on May 25th 2018 will affect you. There are no exceptions and there is no transitional period. There are however, extremely large fines.
Apart from marketing, no other sector is as deeply impacted by the new regulations as HR. Privacy notices will have to be revised, confidentiality clauses rewritten, and security around employee data will have to be audited and tightened. If this is starting to sound overwhelming, then take a deep breath, relax, and follow our 6 steps to getting your HR ready for GDPR:
Assemble the right team
Imagine the Avengers, if they were all lawyers and GDPR was the Infinity War. Just kidding – in fact, they don’t actually all need to be lawyers: they need to be the people who are in charge of handling customer/client relationships, alongside your heads of marketing, HR, IT and legal. Make sure you appoint a Captain America (or ‘Captain GDPR’) – that person who is going to have overall responsibility for GDPR compliance.
Find a template for compliance standards
It’s unfortunate, but GDPR does not come with any specific procedures or precise definitions for a data policy. If you want to implement a framework (and you should), find something that’s already out there, like the Birkbeck University HR Data Protection Policy and use it as a starting point. Although different, the goal is the same – data protection.
Audit your data
You need to classify all the different types of data you usually collect and archive. That’s important before you can even begin to assess the risks. For instance, you will have a database of employees, potential employees and possibly past employees, and all sorts of information relating to them. GDPR requires you to demonstrate you know where it is, who has access to it, and what exactly it’s used for.
Know your unique risks
Classifying the specific risks to your business in terms of low, moderate and high risk is vital to prioritising the issues which need to be addressed before compliance is reached. For example, HR data often includes ‘special category data’ such as national and ethnic origin information, trade union membership records, medical information, and criminal history data. Under GDPR, the circumstances under which employers can process this kind of data are more restricted and require greater protection measures.
Determine the risk vs benefit level
GDPR acknowledges, especially in light of how it came about (i.e. how society got to this point) that storing data is a risk. With this in mind, you’re encouraged to ask yourself, “how much do I need this data?” vs “how easily/effectively can it be protected?”. This means that if you’ve been collecting CVs you should ask yourself if you really need them. And those notes and details you’ve taken down during interviews? Their usefulness may need to be reassessed.
Make risk assessments ongoing
This is a basic GDPR requirement. It means you will need to constantly monitor your data, especially new data – for instance, when you take on a new member of staff – and re-evaluate risk levels. Actions must be put in to place on a regular basis to mitigate this risk. Consider appointing a data protection officer – although GDPR states that only public authorities and organisations are legally obliged to have one, the large sets of personal data involved in HR means that the task of monitoring data could be quite resource heavy. It also means you’ll have someone to be a point of contact with the Information Commissioner’s Office (ICO).
After May 25th data management in HR will change forever. The way data processing works will become considerably more homogenous, especially for businesses that have not put much thought into it before. It may seem initially daunting but if you take the time to work through the requirements systematically and delegate the right tasks to the right people, your business can become more efficient and more compliant than it’s ever been – and your HR can go from strength to strength.
Please note the advice above is only guidance and does not claim to be legal advice. Each business will have unique challenges and PA Business Support encourages the reader to seek professional legal advice about the specific ramifications of GDPR on their business.