With so many things to consider when preparing for the GDPR, it’s easy to get stuck in absorbing all the information that is available. HR should begin by mapping where they stand in terms of employee data.
So you know what the GDPR is and probably also consequences of non-compliance too. With so much information about the new privacy regulation available, it’s easy get lost in facts. The GDPR is, however, a not a multiple choice test you can pass by knowing the facts, but a fundamental change in how organisations handle data on their customers, partners or employees for the foreseeable future.
Under the GDPR, data subjects such as employees gain significantly stronger rights to data about them. They can demand the right to access data, they will have the right to data portability, the right to erasure and more. Organisations must have compliance processes in place for all employee or HR data, and this requires a detailed overview of data.
HR professionals handle information that is many times very sensitive in nature. In addition to home address and emergency contacts, HR systems host a lot of data on individual employees, such as salary and performance appraisal data. The GDPR changes the way this data is handled, beginning from how it’s collected. Small print or indirect consent will no longer be sufficient, but the data consent must be very specific, informed and freely given.
Employees will own their data.
How about when an employee leaves? Today you probably have an exit checklist in place to ensure that keys or access cards, computer and mobile phone, company credit card and software licences are terminated. Under the GDPR, an employee will have the right to request you to erase data (exemption: data that is reported to the authorities, such as tax) or take the data with them (for example on a USB stick – which, by the way, is not the safest way to store sensitive data).
The right to access can be used by an employee at any time, even without plans to leave the company. This means that an employee can request to see information that your organisation has about them. As the consequences of non-compliance can be severe, it’s advisable to ensure you have the appropriate process in place.
To kick-off your GDPR compliance journey, we recommend you begin by mapping your current preparedness and carrying out a comprehensive employee data audit in collaboration with other stakeholders such as finance and payroll. The audit must contain data from all sources, including various IT systems, spreadsheet, text documents and so called unstructured data, which can for example be a manager’s handwritten notes in a notebook.
A detailed audit will allow you to identify areas where you have room for improvement and those that you already have in order. Based on the audit, you are better positioned to plan your GDPR implementation.