As GDPR takes effect, here’s how HR departments can ensure compliance.
The General Data Protection Regulation (GDPR), a new set of data protection regulations implemented by the European Union, took effect on May 25, 2018. Intended to protect the data privacy of EU citizens, it requires businesses worldwide to comply with the new regulations in how they handle both customer and employee data. GDPR applies to all organizations that process the data of EU citizens, as well as all businesses located in the EU–which, in a globalized world, is an extremely large segment of the business community.
“It’s the largest data privacy law passed to date, and it likely impacts your company,” says Forbes.
Organizations that don’t ensure compliance could receive hefty fines. HR departments across the U.S. and around the world must therefore take action to adjust how they manage employee and contractor information. Many experts also believe GDPR is a harbinger of broader changes in data protection, so getting up to speed with GDPR will help you prepare for stricter regulations that may emerge.
The EU’s previous set of regulations on data protection took effect in 1995, and since then, the Internet era has massively increased the amount of data that companies can easily collect and store. The new rule is meant to help bring the EU and other regions up to speed with those changes. Read through this summary of key changes to learn more.
In an article for the Society for Human Resource Management (SHRM), Tom Mintern and Sam Rayner, attorneys who work with Bird & Bird in London, write that HR preparations for GDPR must include the following:
- Establishing clear and detailed policies and trainings regarding data protection.
- Auditing and reviewing your data protection measures.
- Keeping updated records of all data sharing and protection activities.
The following steps will help your HR department achieve those objectives to ensure compliance with GDPR.
Review Existing Data and Collection Practices
To know what changes you need to make, you first need to assess how you’re gathering and storing data. Conduct a thorough data review, and delete the information that no longer serves a clear purpose, says the GDPR Report. Review and update employee and contractor data retention limits in the process, advises SHRM. Here are a few pointers for getting started:
- Outline all of the methods by which you currently collect data on employees, contractors, and potential hires, as well as the reasons for which you do so.
- Determine which departments or staff have access to such data.
- Create a list of all the ways you gather employee data, as certain employee monitoring and background checking practices may be risky under GDPR, say Mintern and Raynor.
- Create a chart showing how employee data flows across borders.
As you sort through this data, respect employees’ “right to be forgotten.” Upon staff members’ request, you must immediately discard any personal data that you’re not required to keep by law, the GDPR Report says. Individual requests must be addressed in one month or less, says Forbes in “Global Data Protection Regulations: Is Your HR Department Ready?”
Using your data map as a guide, evaluate whether your past collection of data was justifiable, and whether you should keep or safely discard any data you’ve collected that may not be justified. According to the UK’s Direct Marketing Association (DMA), there are six legal justifications for collecting personal data under GDPR, as follows:
- Legitimate interest
- Legal obligation
- Public interest
- Vital interest of data subject
This includes resumes kept on file. If you hold job applicants’ resumes for future consideration, you need to inform them (and allow them to opt out), says the GDPR Report.
Appoint and Train a Data Protection Officer
Nominate a data controller and a data processor as the people who handle the data, in order to limit the number of people who have access to it. The data controller should also train other staff in how to process data, keeping everyone informed on best practices for GDPR compliance.
- Select someone with a strong knowledge of data protection policies, or provide ongoing education on this topic.
- Create a contract with these officers that meets GDPR’s criteria. GDPR stipulates that these officers, who act independently, cannot face repercussions for carrying out these responsibilities, notes SHRM.
Read EUGDPR.org’s overview of data protection officers’ responsibilities to prepare your HR staff for this role.
Set Clear Data Collection Policies
Organizations must both minimize their data collection and clarify how and why they do it under GDPR. Obscure fine-print clauses are no longer acceptable when it comes to data collection. “Privacy policies relating to data held on employees must be clearly written, easy to access, and concise,” says the GDPR Report. Here are some best practices for data collection protocols:
- Make sure your consent forms are clear and straightforward, stating which personal data will be collected and retained, and why.
- If you have consent forms addressing multiple issues, group them into individual forms and simplify the language, says CNBC. Burying one issue within a lengthy form is not acceptable under GDPR.
- Ensure you have a clear reason for using the data you’re collecting via forms or other methods, says SHRM; and document that reason so you can prove why you were gathering the data if need be.
- Create a data register: a central log of all the ways in which you will be collecting data.
It’s imperative for organizations to make sure they have valid legal grounds for collecting employee data. Under GDPR, getting employees’ consent for retaining their data is no longer enough. Since their employer holds a great deal of power over them, employees aren’t able to “freely give” this consent under GDPR. “The relationship between employer and employee is not even,” says the GDPR Report.
“The employer is in a position of strength, the employee may feel coerced into signing an agreement, even if the coercion is subtle and tacit.” Instead, you must be able to clearly articulate a persuasive reason why you need to collect such data.
Revisit Contractual Arrangements with Third Parties
Revisit contractual arrangements with any third parties that handle your data. If you share staff data with any outside parties, make sure your contracts meet the requirements of GDPR. “As a business, you need to review the list of HR and payroll business partners, and evaluate whether they are GDPR compliant,” says Gert Beeckmans, Chief Risk & Security Officer of SD Worx, on the GDPR Report website.
- Look back at your list of how employee and contractor data flows across borders.
- Create a database of all contacts with whom you share data, says SHRM. That way, if asked, you’ll be able to supply that information.
Remember, simply allowing a third party to access information constitutes data sharing. If a consultant abroad is able to review your data at any point, that constitutes a transfer, according to SHRM.
If you’re using software from an outside entity to process personal data, make sure it will support you in maintaining GDPR compliance.
Read the full article from SHRM for more tips.
Protect Your Data
New tools are continually emerging to help you protect your data. Here are a few key tips for keeping your employee data safe:
- SHRM advises using encryption to keep your data hidden from those who don’t need to view it. Encryption turns the data into a secret code that only someone with a key can unlock.
- Employ an Outbound Content Control tool as well, which can block sensitive information like social security numbers, from being sent out–potentially stopping breaches, says SHRM.
- Consider using an externally sourced solution for data management if you’re not equipped to protect your data on your own. “Cloud-based HCM [human capital management] tools can help you meet compliance standards without ignoring current HR needs,” writes Doug Bonderud in Forbes.
- Anonymize data wherever possible, so it can’t be linked to individuals.
- Test your systems regularly to make sure they’re as safe as possible.
Establish Data Breach Procedures
Mistakes may happen, so be prepared. As SHRM suggests, create clear procedures for what to do if a data breach occurs. Establish a policy of reporting data breaches to your data protection authority (DPA) within 72 hours (and immediately after staff realizes a breach has occurred), and determine what mitigation measures you’ll take, says CNBC.
- Notify those whose data was breached if the incident “is likely to result in a high risk to the rights and freedoms of individuals,” advises the GDPR Report.
- Ensure the data controller has the contact info for the appropriate DPA, since that individual is the person responsible for reporting a breach.
If a data breach occurs, having taken these steps will help your case. Showing a good faith effort to follow the new rules will help minimize any repercussions—as well as the chance that a breach will have harmful effects in the first place.
Read the Forbes Insights report “Data Protection by Design: The Opportunity in the Obligation of GDPR Compliance” for further advice on mitigating threats to your data.
Taking these steps will help ensure that business goes on uninterrupted as you get up to speed with GDPR. Plus, as Forbes Insights points out, you’ll build trust with your employees and contractors by maintaining a high level of data security. For more insights, view the webinar “What Employers Need to Know About the GDPR” with the rest of your HR department so you’ll have a shared understanding of the steps you need to take.