As the EU’s General Data Protection Regulation approaches, business owners eager to prepare should note that compliance will depend on much of the improvements made in HR.
This core company function will fundamentally change how your organisation collects, processes and stores information on employees, customers and clients alike. Adjustments should be informed by the following principles:
Under the GDPR, you will have to be able to articulate to data subjects precisely why their data is needed, how it will be processed, where it will be stored and whether or not it will be shared or transferred to other countries.
The data subject should also be made aware of their rights to access their information, and to make amendments to it should changes occur. The ‘right to be forgotten’ forms a key part of the new legislative climate, so individuals should know that they have the right to ask for their data to be deleted or changed under certain circumstances.
Each of these facets should be documented as evidence as a pathway to the data subject’s compliance to their data being used; GDPR is very much about creating a climate of responsibility through accountability, and HR will take a lead on this.
Under GDPR, only formally trained individuals will be allowed to process personal data. In the event of a data breach, regulators will head straight for HR and ask for evidence of training records.
Guidance on GDPR compliance will typically come from a newly appointed Data Protection Officer (DPO). All companies will be required to employ a DPO on a part- or full-time basis to provide official monitoring, advise on responsibilities and to link the organisation with the data protection authority.
Thorough preparation for compliance will depend on HR personnel having more clearly defined roles. Ownership will need to be developed so that key functions within HR are carried out with heightened diligence regarding data security. This is particularly important where staff members are coming into, or leaving, the business.
New starters should be made aware of the fresh, GDPR-compliant data privacy notice. This will inform them of the organisation’s ongoing new commitments to data security, and the new obligations this puts on staff and the business alike.
Data breach obligations
Any instances of potential data breach must be reported to the relevant supervisory authority under the GDPR. If accidental loss or disclosure of personal data has occurred, then an employee has 72 hours to notify and pass on pertinent details to the data protection authority. Potential victims of said data breach will also have to be notified, if the misdemeanour puts their rights and freedoms at risk.
Steps to preparation
Some of the crucial steps to take towards HR compliance include:
- Conduct a full HR data audit and consider how its storage terms and processing stands against GDPR obligations. Articulate your new responsibilities in an easy-to-understand data privacy notice so that employees and customers are aware of new data requirements.
- Consider the legal side of processing personal data. Are your current data consents in line with GDPR?
- Consider how you will react to a potential data breach and formulate an action plan that guarantees timely notification. This will involve individuals taking on new responsibilities, and learning how to report efficiently and compliantly.
- Start thinking about whether or not you will need a DPO, where they can be recruited, trained and provisioned for.
To learn more about how HR departments will be affected by the GDPR, visit the next GDPR Summit London where there is a dedicted theatre to GDPR’s impact on the HR function.
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/