With less than a few days to go until General Data Protection Regulation (GDPR) is upon us, HR departments will no doubt be busy considering what changes they need to make.
Many HR departments will already be following good practice principles in data protection that have been enshrined in law since the Data Protection Act of 1998. GDPR brings with it an evolution of these principles, taking into account the huge strides that have been made in terms of how we process personal data in a digital world.
Here are some of the key steps that HR needs to take now towards its GDPR compliance in relation to its workforce data if it hasn’t already:
RSM’s top 10 tips in relation to workforce data and GDPR
- Map your data; this involves mapping any personal data you are currently processing in HR eg CVs, interview notes, offer letters, references.
- Work out where you hold all your data (hard copies and electronic) and record it on a data audit sheet.
- Work out how long you store it for, how securely you store it, do you send it anywhere, and if so where to and are the correct protections in place if it is going outside of the EEA.
- Do you have satisfactory arrangements in place with third party suppliers?
- Do you need to appoint a Data Protection Officer (DPO) or just a nominated person to be responsible for data protection?
- When you do erase the data are you doing this securely? A sound HR personal data retention policy is going to be key to your success in taking steps towards compliance with GDPR. Make sure you keep personal data on your prospective employees, current employees and ex-employees for only as long as is necessary.
- Two key words for HR to enshrine in their personal processing of employee data are accountability and transparency. HR departments need to be accountable in their interactions with employees’ personal data processing and transparent with their employees in how they do this.
- The provision of a privacy notice detailing the personal processing of a prospective or new employee to the organisation will be another important step for HR departments to make towards GDPR compliance, and also deals with the transparency principle.
- HR teams will need to review their template contracts of employment going forward and use this for all new staff they employ post 25 May 2018.
- HR teams will need to review their template employee handbooks, and bring in new data protection policies to reflect the changes that GDPR brings. There may also be other policies that need updating by HR - such as Disciplinary and Grievance policies to ensure that employees can be dealt with appropriately if they mistreat the personal data of fellow employees, or personal data of any description.
Finally, if you haven’t done anything yet do not panic, the ICO is unlikely to come knocking on your door on the 26 May (unless you have a major data breach - in which case it could). The important steps you need to take are detailed above and any steps you can take towards compliance will stand you in good stead should you encounter a problem in processing the personal data of your employees.