GDPR – not just an IT issue
The General Data Protection Regulation (GDPR) is less than six months away from enforcement.
The regulation will bring about mammoth changes to how companies treat employee and customer data. Although GDPR is about protecting ‘data’, that doesn’t mean that its implementation falls solely on the shoulders of the IT department.
When it comes to processing and protecting employee data, it is the HR department that is responsible as Steve Wainwright, Managing Director, EMEA, Skillsoft explains
A recent survey from Citrix found that one in five businesses have “no idea” whether or not they are GDPR compliant. Achieving GDPR compliance is a cross-departmental challenge. Whilst IT leads the cavalry in the implementation of GDPR throughout the whole business, HR still has a significant role to play. For all departments, GDPR is an exercise in communication, as much as it is compliance. HR will need to work closely with IT, to ensure both are ready for the new regulation, and with employees to ensure a smooth transition to the new framework. Those HR professionals not yet preparing for GDPR are putting their organisations at risk of regulatory fines.
HR’s responsibilities under GDPR
HR will need to ensure all employees are aligned with the new GDPR framework. This will involve a change in how HR handles employee consent. Rather than the previous small paragraph in the employee contract, consent regarding how employee data is used will now have to be explicit and standalone. Employees must be made aware of how their company intends to store, control and manage their data. This will need to be detailed in a separate document and employees will need to sign it – either physically or digitally. Without this, organisations risk severe penalties for unlawful processing of data.
Making this process official has a number of other benefits. Whilst formalising the process proves that a company is meeting GDPR, internally it also acts as an employee retention and engagement tool. The documentation shows employees they can trust their organisation and that their personal data is being handled lawfully and properly.
When drafting the contract, HR needs to work closely with the IT department. Together, they will need to understand where and why employee data is used – as well as who is accessing it.
For example, does it travel to another country? Who is using it?
By answering these questions, HR can give its employees an honest and complete picture of how their data is being used. Employees are unlikely to sign something they do not understand, and it falls to the HR department – with input from IT – to explain employee rights regarding GDPR in a clear, accessible way.
A two-way conversation
Under GDPR, employees will have the right to view and manage their data. This includes data access requests, data rectification rights and the right to be forgotten. Having a formalised process in place that explains how employee data is being used diminishes the likelihood of a ‘floodgate’ of employee requests once GDPR is enacted.
However, HR should still be prepared and have the right processes in place for these requests. The challenge will be ensuring both the right systems are in place and the right policies. HR needs to be organised when it comes to the new processes it will need to manage, and the potential for an increase in employee data requests.
Organisations will need well thought-out procedures and systems in place to allow HR teams to smoothly handle employee requests without using up too much time or manpower. This will again involve collaboration with IT – to ensure the right systems are in place – and employee communication to reduce the likelihood of unnecessary data requests once the new regulation is in force.
Achieving GDPR compliance is not a one-time action; it’s an ongoing process that will require refreshers to ensure that all employees are playing their part in achieving compliance. A comprehensive, ongoing training programme will help organisations mitigate the legal, financial and reputational risks associated with non-compliance.
A structured training programme helps employees understand how their data is used, alongside their personal responsibilities under the regulation. For example, if they come into contact with sensitive data, they will need to ensure that they follow the rules on how they handle it. Training can increase individual accountability throughout the organisation, but a one off training session will not be enough. Companies will need to introduce a comprehensive, ongoing training strategy to address the long-term changes GDPR will bring.
HR’s role has consistently changed in recent years, moving away from the traditional administration role of the past. GDPR sees HR’s role transform even further. To ensure compliance, HR departments need to embrace the cross-departmental conversation that GDPR enforces: working more closely with IT, opening a dialogue up with colleagues regarding data protection and embracing the appropriate technologies.
Through this, and proper planning, HR can help to ensure that its organisation is compliant by May 2018 and into the foreseeable future.