With the recent scandal about misuse of private Facebook data, privacy, particularly the electronic kind, is getting more attention than ever. An increasing number individuals and governments are coming to believe it is an individual right to know who has your data and what they are doing with it, and new laws are emerging to enforce this viewpoint. The most prominent law is the European Union’s General Data Protection Regulation (GDPR), which will go live on 25 May, 2018 and impose potential penalties up to 4% of global revenue or €20 million, whichever is higher.
While most attention is going to companies that, like Facebook, work with and sell consumer data, HR professionals need to remember that they too are responsible for a large volume of private employee data. Properly handling this will create a culture of trust and security. Failure to do so could cost millions as well as destroy employee confidence in their employer.
Here are a few things HR needs to keep in mind when it comes to being ready for GDPR:
Know the Key Rules
Like any piece of major legislation, GDPR carries a large set of rules with it. Here are some of the key rules HR needs to keep in mind:
Appoint a Data Protection Officer
Not every organization is required to have one (PWC has a useful guide to help determine this) but a DPO provide you with the guidance and feedback you need to keep all your data affairs in order.
Holding data requires permission
Many companies have taken an “opt-out” approach to personal data. The company stores it by default unless someone specifically opts out. With GDPR, companies are restricted in their ability to hold data without specific consent. To be on the safe side HR managers should be gathering permission from all employees and ensuring their HR systems are designed to automatically request consent and process data accordingly.
Candidates and employees must be able to view data and request its deletion
Generally speaking, candidates and employees should be able to log in and view their basic details and request they be deleted. Some details, such as interview notes or employee discipline may not be required for display, but basic details should always be readily available. Furthermore, people have the right to be “forgotten” and have their data removed at their request.
Data breaches must be reported
In the event of a data breach you are required to notify “the supervisory authority within 72 hours, and possibly to affected data subjects as well.” HR needs to have protocols in place that not only dictate who receives notice and when, but to also have standardized messaging prepared.
Plan and Prepare
In addition to knowing the rules, HR should be putting plans in place for how each rule will be applied and enforced internally. By partnering with IT, Legal, and your Data Protection Officer you will be able to determine what actions HR needs to take to ensure that private data is securely held and properly managed.
In addition to general preparations, the new laws also provide HR professionals with the opportunity to build a culture of privacy and security in the company. By creating not only rules, but also leadership guidelines, communication standards, incentives, and more HR can ensure the company culture is one that supports data privacy, thereby creating a better work environment with increased productivity and lower legal liability.
Want to know more about what you can do to be GDPR compliant and effectively manage data privacy and security? Download this free ebook.