What is GDPR?
The GDPR aims to protect employee personal data by imposing a slew of data privacy and security requirements. It applies to any employer who processes and stores personal data for employees.
Even if a company is not based in Europe, it must comply with GDPR requirements if it has employees or freelancers residing in the European Economic Area (they do not have to be citizens).
Third-party vendors who are contracted to process employee personal data must also follow the rules.
Penalties for noncompliance will be used to enforce the rule. Fines can reach 20 million EUR, or up to 4% of an employer's annual global revenue for the previous year (whichever is higher).
Furthermore, employees will be able to sue and recover damages from both their employers and their third-party vendors.
What are the key changes for HR under GDPR?
The GDPR aims to give individuals more control over their personal data, which means significant changes for employers and HR departments, such as:
1. Personal data redefined:
The GDPR establishes a broader, uniform definition of personal data as "any information relating to an identified or identifiable natural person." Because the standard for "identifiable" person is set low, GDPR will apply to more data than the current directive.
2. Vendor accountability:
For the first time, the GDPR directly regulates data processors. This includes any vendors used by HR to process personal data on behalf of employees.
3. Standard breach notification requirements:
Employers must report data breaches to supervisory authorities within 72 hours of becoming aware of the breach, and affected employees must be notified without undue delay.
4. New security roles:
If a company monitors personal data on a regular basis as part of its core business, it must appoint a Data Protection Officer.
5. New employee rights:
Employees now have more say over how their data is used thanks to the GDPR. They will have the right to access, obtain, correct, and delete their personal data.
They will also have the right to be informed about how their data is used and to withdraw their consent to its processing (if consent was required and used as legal ground for data processing).
What HR needs to do to comply with GDPR
Because the GDPR introduces a significant amount of new information and regulations, HR departments will need to devote time and resources to covering each new compliance area. Some of the most important tasks that HR must complete are as follows:
1. Policies on privacy:
Not only must HR uphold new employee rights, but they must also formalise and clearly spell out these rights for employees in accordance with the GDPR's enhanced transparency and accountability requirements. To communicate these rights, HR will need to review and update its privacy policies.
As a result of the GDPR, many of HR's current processes will need to be reviewed and updated. The minimization principle, for example, states that HR should collect only the data required for the task at hand. This means that HR will have to reconsider any process that involves requesting personal information from employees, such as onboarding and transfers.
One step HR should take is to ensure that the appropriate employees have the appropriate level of access to view employee data. Only those roles that require employee data should have access to it (this includes outside vendors!)
4. Management of employee files:
The GDPR will necessitate the creation of new employee files, which HR will require employees to sign or acknowledge. In addition to new documents, the GDPR emphasises timely document deletion because a company can be fined for retaining data it no longer requires. HR must review its current retention policies, as well as its process for managing document expiration.
How to get started with GDPR compliance
1. Examine and evaluate all data
- Collaborate with the appropriate departments within your organisation (IT, Legal, GCR) to thoroughly review all of the data that HR manages.
- Determine whether the information is absolutely necessary to keep on file.
- Remove any data that you no longer require.
- Make sure you have a process in place for deleting documents on time.
2. Implement transparency
- Create a method for informing employees about their rights in a clear and visible manner.
- Employees should have access to a platform where they can easily update and/or delete their personal information (when applicable)
3. Perform a security check
- Examine who has access to which data and implement appropriate controls.
- Create a data breach response strategy (or review and update your current one)
- Make plans for ongoing internal security education.
- Inform all partners and vendors who have access to your employees' data about how they plan to comply with GDPR.
4. Assign responsibility
- Determine whether your company requires a Data Protection Officer (DPO)
- If you do not need to hire a DPO, ensure that all security and data management processes have a clear chain of command.
Benefits of GDPR compliance
1. Streamline data management processes:
Laws vary by country under the current Data Privacy Directive. Managing the various legal requirements for any employer with international employees is complicated and time consuming.
The GDPR streamlines these requirements across all countries, allowing HR to standardise its processes. As a result, record-keeping is simplified, and HR is relieved of administrative duties.
2. Make a good first impression on new hires and employees:
Your employees will feel more secure knowing that their data is in good hands. New employees will feel more at ease knowing that their new employer is up to date on the latest privacy practises.
Furthermore, anyone who has had their data compromised in the past (or knows someone who has) will appreciate your organization's dedication to security.
3. Stand out from the crowd:
With more and more companies experiencing data breaches, it is critical for businesses to take the GDPR seriously. GDPR compliance will demonstrate to customers and investors that your company is proactive and digitally savvy.