GDPR has hardly escaped anyone in the EU since its introduction at the end of May 2018. It was established to protect the fundamental rights and freedom of individuals, particularly their right to integrity and privacy.
It requires all employers to keep personal information up to date. The information also needs to be available for people when they request it. HR has a key role in identifying existing systems and mapping out current processes. Why? To make sure the organization store and manage its data in line with the GDPR.
We have compiled a checklist for HR professionals to combat these challenges. What are the steps to ensure GDPR compliance? Let us find out!
List places where you store data
Make a list of all places and systems where you store personal employee data. Examples of this include systems for recruitment (ATS), pulse surveys, and payroll. Or maybe you have an intranet where you store employee contracts.
Check who has access to the data
On top of listing all places you store personal data, it is widely important to have a deep understanding of who can access what data. A manager usually needs access to his or her subordinates but does not require access to other managers’ employees. Remember that you need to communicate with employees who can access their data.
List HR processes and how you perform them
This is a big one. HR process includes everything from recruitment to preboarding, onboarding, performance reviews, absence reporting, pulse surveys, and offboarding. There might even be more internal processes and it is your job to handle these. Do you collect data in one place or are you using different systems? Do you save some documents or PDFs in local folders?
Identify potential breaches
Are your current processes leaking data? When you go through your current processes, identify where data “escape” from its natural habitat, and get into the wrong hands. When you hire a new employee, does he or she send personal details to you via email that you later import into a new system? Several manual processes, where individuals move data from one place to another, are prone to error.
Manage consent for personal data
GDPR has had a massive impact on the way employees process data. Consent must be freely given by everyone. Get consent for the data you hold, both from current and potential employees. Make it easy to amend when necessary and set up a clear process for when someone wants to revoke their consent.
Inform employees about their rights
The next step is to keep your employees informed. Update your privacy notice statements and explain what data you hold on them, what you do with the data, where you store it, and what their rights are. GDPR gives employees significantly more control over their personal data.
Store only necessary data
Is there a reason for you to store shirt size, marital status, or similar about your employees? Probably not. Go through the employees’ digital file and mark all data that is unnecessary with respect to the Accounts Act, the Discrimination Act, and the General Data Protection Regulation.
Ensure that your software vendors are compliant
Make sure that your vendors use are fully committed to GDPR. For example, Applicant Tracking Systems store personal data from applicants and potential recruits. When you delete the data as a customer, is it truly removed from the vendor’s server or can they still access it? Go through the list of vendors and ensure that they are compliant.
Use self-service to manage requests
Updating employee information can be a daunting and time-consuming task for HR departments. If you can get the whole company to manage their own data and information through self-service in an HR system, you will drastically make your work life easier. Contact information and bank account details are a great starting point.
Provide data in an accessible format
The GDPR allows employees to access their personal data. Make sure you can provide the information requested in an accessible and readable format. Your HR system should be able to help you meet the GDPR requirements including, but not limited to, the following:
- Right to be informed
- Right of access
- Only disclose personal information to the right person
- Right to be forgotten