By Paul Burrin
A run-down of the steps the region's HR professionals need to do as part of their GDPR compliance
The EU’s General Data Protection Regulation (GDPR) that came into effect on May 25 represents a major watershed in data protection, replacing all existing laws governing the protection and privacy of individuals in EU countries. GDPR reinforces EU’s belief that a person’s right to the protection of their personal data is a fundamental human right.
From a macro-view, GDPR also applies to companies in the Middle East and around the world that handle personal data or offer goods and services to European residents and citizens. With data breaches and infringements successfully wiping out the existence of companies big and small in our “global village”, organisations in the Middle East that are transacting business with the EU should ensure they are aware of the new regulations – even if they’re not directly impacted.
Human resource teams in the region have a crucial role to play as gatekeepers of personal data. As the new regulations came into effect last week, let’s have a look at a list of things you need to put in place to ensure GDPR compliance.
As an employer, you must have a lawful basis for gathering and processing personal data. In most cases, this will be for legal, contractual or legitimate purposes. For example, you may need to gather a candidate’s contact information for communication purposes or may require social security numbers for tax and payment purposes.
However, in some instances, you may need to obtain consent from the individual to use the data for a specific purpose that falls outside the remit of the usual employer-employee relationship.
Action: Make sure you have clearly identified the lawful basis for all personal data you are capturing in order to manage the data and consents accordingly.
Under the new GDPR rules, whenever you process data on the basis of consent, that consent must be freely given. In fact, it must be a specific, informed and clear indication of the individual’s wishes as evidenced by a written statement or by a distinct, affirmative action. Therefore, remember in a post-GDPR era, assumption, pre-ticked boxes, no reply emails and inactivity do not amount to consent.
Furthermore, you also need to keep a record of this consent. Consider how you will track and update consent against each data point so that, should circumstances change, you can make the adjustments quickly.
Action: Get consent for the data you hold, make it easy to amend when necessary, and plan to revisit periodically to assess whether you still need the consent.
GDPR gives employees significantly more control over their personal data. Therefore, as employers, you need to let them know of their rights and choices.
Action: Keep your employees informed. Update your privacy notice statements for all employees and candidates and explain what data you hold on them, what you’ll do with that data, where it is stored, how long you’ll hold it, and what their rights are with regard to that data.
Employees have always been entitled to request information about the data you hold on them, but GDPR makes this more accessible for employees. You will need an efficient way of enabling employees to see their data, change it as required and understand how it is being used. This is where self-service comes in.
If your workforce is capable of managing personal data through self-service functionalities in an HR or people system, then everything is suddenly significantly easier. This also means that you can automate processes and notifications to the HR or People team regarding the changes they may have to make when personal data is updated.
Action: Manage change through automation and introduce self-service functionality to your HR systems.
GDPR allows employees to access their personal data should they wish to do so, and in some circumstances, have their personal data erased. Make sure you can provide the information requested in an accessible and machine-readable format, such as CSV, and that you have processes in place for identifying, rectifying and deleting the data based on such requests.
Some cloud HR and people systems in the market today, including the Sage Business Cloud People System, enable you to export data in the necessary formats and to anonymise or delete data when required.
Action: Ensure the data you hold is stored in an accessible format and is easy to amend.
Does your department have boxes of paper scattered across the office? Do remember that bringing all your data into one place can help you get a handle on your electronic information and enable you to understand and audit soft copies of this data.
Action: Securely destroy the information you no longer need or have a legitimate reason to store. Upload any necessary data you still require to retain to your single electronic source of truth (or primary trustworthy official reference portal), before securely destroying this too when ready. If you retain any paperwork electronically, make sure you have the consent to do so.
Do you know who can access your employee data? Carry out an audit of permissions to assess who needs to access what, why and when. Remember, you may need to communicate to employees who can access their data if they request information to do so. Therefore, do keep this in mind when making decisions to issue permissions.
Action: Update your permission settings for your HR or people system to ensure that only relevant HR and people team members can access personal data.
To prepare for GDPR, you need to securely document all the personal data you hold, including information on where it came from and who you share it with. This is hard when your data may be currently distributed across spreadsheets or multiple disparate systems.
Action: Introduce a single cloud-based HR and people system to help control the data more effectively.
Are the HR systems you use fully committed to ensuring your business is GDPR ready? Make sure you look for suppliers who have a proactive GDPR strategy in place and are resolved to ensuring that their products conform to the new privacy regulations on a continuous basis.
Action: Engage with your suppliers to check their GDPR readiness.