The EU General Data Protection Regulation (GDPR) is a big deal for everyone, not least HR. With a recent survey suggesting more than a fifth (21 per cent) of individuals in the UK plan to exercise their rights under the GDPR to ask their employer or ex-employers to delete their information*, there’s going to be plenty of work for HR teams. And with the breadth of the regulation and potential size of the sanctions for failure to comply (up to 4 per cent of the annual global turnover or €20 million, whichever is greater), it’s critical to get it right.
That means understanding that managing individuals’ requests for personal data to be identified, erased or transferred, won’t be straightforward. HR teams will need an understanding of the different types of data (personal, pictures or analytics) and where they are held. Employee lifecycle/HR data, in particular, can be found in multiple systems and sources (such as HR information, talent management, or learning management systems as well as payroll providers, finance, third-party providers and in the cloud). And the GDPR compliance will be especially important around contractual obligations, data security, accuracy, retention, and the ability to find and erase personal data. HR, finance and procurement directors will also have to get the right data transparency policies and processes in place to meet the full range of the GDPR requirements.
HR will have a responsibility to ensure employees are GDPR-compliant and know what their roles and duties are when handling any personal data, whether that belongs to their colleagues or customers. What’s critical here is recognising that compliance with the GDPR boils down to changing the behaviours of everyone in the organisation. It’s not the sole responsibility of Data Protection Officers. So you really need to be proactive about changing culture. And recognise that all this takes time and constant enforcement. If you don’t start now, you may run out of time to address issues that arise.
We think all this adds up to six actions that HR professionals need to be getting on with now:
- Assess how ready you are for the GDPR. That means working out what data you hold and where - it could be in HR, finance, procurement or reporting records. Then conduct an internal and external (third parties and cloud providers) GDPR information audit. When you understand where you hold data and what kind, you need to create inventories, classify it and set out how the data is used. You can use eDiscovery tools to help with all this.
- Communicate the new behaviours and culture throughout your organisation. That means getting senior leadership buy-in, identifying who data protection officers and data champions are. Then you need to agree the different communications and training needed for each of them. That’ll range from workshops, face-to-face, webinars, FAQs or checklists. We’ve worked with many organisations to develop and deliver GDPR awareness workshops and the associated training materials for a variety of audiences up to board-level, and know how important they are.
- Look at how you hold, manage and protect personal information. If personal data is critical to the business, then you’ll need to see if it can be anonymised in, for example, business analytics. If you transfer data internationally you’ll need to revise your policy on that too. The GDPR is also a business risk so you’ll need to check your information risk management policies still apply. The stakes are being raised on data breaches so you’ll need to check your data breach incident response policies and processes, and look at where you can reduce the risks of breaches.
- Notify your staff about the personal data you hold about them. You need to agree the legal basis for processing personal data. What’s critical is that the GDPR requires explicit consent, so you must get clear permission to hold an individual’s personal data – this should take place as part of the GDPR awareness exercises and training. Having revised your policies, you’ve then got to make sure they are implemented and enforced.
- Clean up your data and get rid of any data that’s no longer required by the business, or from a legal or statutory perspective. Remember that the data could be in hard copies, spreadsheets, data warehouses, third parties and archives.
- Scenarios can help. You should develop organisation-specific, realistic scenarios to test behaviours, policies and processes two to three months prior to the GDPR enforcement. This should focus on things like how will you be able to comply with the requirement to give notification within 72 hours of discovery of a data protection breach. This kind planning will give you time to identify potential risks and deal with them. And in our experience, it works: for a bank client, we developed scenario-based interventions that really brought the issue to life and quickly gave everyone a consistent understanding of the regulations and its impact on them.
What’s clear is that you need to start work now. Failure to get things in place in time won’t wash as an excuse in 2018. Regulators, customers and employees will expect you to be ready.
* "Fifth of Brits would ask employers to delete personal details under GDPR”, Marianne Calnan, 14 July 2017, People Management, CIPD