The EU’s General Data Protection Regulation is just around the corner, but how sure are business owners about the implications involved for HR?
Not very it would seem, given that less than half of SME owners have even heard of the GDPR, and less than a third of those whom are aware consider themselves prepared.
This attitude is wildly at odds with the global significance of the GDPR which constitutes “the most important data privacy regulation in 20 years,” and replaces 1995’s Data Protection Directive 95/46/EC and the UK Data Protection Act of 1998.
What’s it all about?
The GDPR is designed to make data privacy fit for purpose in the internet age, and its arrival on May 25th 2018 presents the ideal opportunity for organisations to have a timely digital spring clean.
The Regulations will bring in changes to protect the personal details of individuals (data subjects) living within EU borders, such as the right to be forgotten, will tighten conditions for data consent, terms relating to breaches of data, and will see most organisations appointing a Data Protection Officer (DPO) on a part- or full-time basis.
Preparing HR departments for the GDPR climate
Landscape shifts should be anticipated for HR departments and the ways in which the personal data of customers and employees alike is collected, stored, processed and deleted.
From the end of May, ‘legitimate consent’ will guide businesses as they accrue new data. This means that firms will have to have a genuine reason for holding onto the data they collect. This alone should signal an end to a culture of data hoarding, which in itself is a ticking privacy time bomb.
As part of an incoming culture of accountability, HR departments should begin their journey to compliance by conducting a data audit to ensure that all stored personal data has been collected in accordance with GDPR standards of consent. If these standards are not in evidence, compliant consent will have to be obtained.
Data Protection Impact Assessments will also need to be reviewed, with focus falling on whether DPIAs need to be conducted for data processors. Processes and operations concerning data subject access requests must be assessed.
There are no specific dots to join as a guide through GDPR, rather compliance should be understood as a journey involving tightening operations, training staff and developing organisational awareness in a more security-conscious era.
GDPR compliance through the cloud
Fortunately, there are software options available that can support businesses on their compliance journey.
Cloud technology and SaaS platforms offer companies a means to enhance business systems functionality while keeping compliancy a top priority. For example, IRIS HR enables clients to execute subject access requests received from employees so that businesses can reach compliance to strict deadlines.
More generally, cloud-technology gives organisations the flexibility and dynamism they need to grow compliantly in the GDPR environment – a domain where personal data will be needed at the touch of a button so that business decisions can be made in real time.
Breaking away from complex and expensive legacy systems, the cloud offers scalable solutions that fully integrate with organisational applications.
With reduced fragmentation, documentation becomes far easier to aggregate, study, control and delete, enabling employees to collaborate to greater effect. Business owners and employees can access and analyse HR data through personalised dashboards through any secure self-service portal, which in turn introduces a new layer of transparency because an audit trail will exist for all alterations made to personnel records.
Solutions such as Workday update the data processing terms that customers are given, and introduce new functionality that supports compliance. This includes a protocol on internal incident responses that meets notification rules for data breaches, and features that support the data subject’s right to be forgotten.
The carrot and the stick
Failure to comply puts organisations at risk of being hit by hefty fines – 20m euros or 4% of global annual turnover, whichever is greater. Equally damaging, a high-profile data-breach case will not make culpable companies attractive to customers in a far more security-conscious age.
On the flipside, GDPR should be seen as a huge opportunity to get data storage and handling processes in order. Operations will become more streamlined, efficient, secure and – most importantly – compliant, so that companies lead in a united effort to galvanise data privacy for the global good.
For more information on how GDPR will impact HR, visit the GDPR Summit Series.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.