The introduction of GDPR in 2018 brought into legislation new rules around the collection, management, process, and storage of personal data. While, some years later, it is fair to say that GDPR has had a significant impact on the way companies manage personal data — the rise in GDPR non-compliance fines last year shows there is still much work to be done.
At an organizational level, it is the HR function that operates right at the forefront of GDPR. It is the responsibility of HR, after all, to manage and collect employees’ personal data. With great power, comes great responsibility, and the onus is on HR leaders to ensure every single aspect of their data collection processes is executed in a fully compliant manner.
As a leading provider of a fully compliant employee onboarding system, we have helped many companies meet GDPR requirements. During this time, we have developed a number of GDPR best practices, tips, and actions that can help HR leaders ensure their companies remain fully compliant.
1 – Raise Awareness:
While HR plays a vital role in GDPR compliance, responsibility must go beyond the HR function to include IT, Compliance, Legal, Security, and any other teams that interact with personal data. Upper management must also be made aware of the importance of GDPR and get behind any initiatives. When presenting GDPR initiatives to management teams, remember to keep it brief and focus on key points such as the “cost of doing nothing”.
2 – Train the Team:
Appropriate GDPR training should be regularly conducted on how to handle personal data as well as privacy policies and procedures. Training should be tailored specifically to each role and how it interacts with personal data. These GDPR pieces of training need to be revised regularly and the records kept.
3 – Hire a Data Protection Officer (DPO):
Assigning responsibility for data protection to a team or an individual is the ideal state. Having an in-house expert or team of experts ensuring the company remains compliant goes a long way to achieving GDPR compliance. In fact, depending on the circumstances of the business, some companies may be required by law to appoint a DPO. An organization needs to hire a DPO if:
- Data collected is processed at a large scale
- Systematic data monitoring is done and
- If data is processed by a public authority
4 – Create a Data Log:
A data log serves as proof of GDPR compliance whenever an audit is done. The more information that is contained in the registered log, the better for the organization as a whole. The flow of data within the organization is documented effectively if all the data sources are identified. The advantage of having a data log or data register in place is that, in the event of a data breach, it can be used as proof of progress towards data security.
5 – Perform a Relationship Health Check:
A regular relationship check between the organization and the following is necessary:
- Outsourced service providers and recruiting agencies: There needs to be a secure way to share applicant data if you are using a recruiting agency to hire staff. It is important to have regular checks with them to ensure personal data is shared according to your instructions and considering privacy policies as well.
- HR Software Provider: Conduct a data protection assessment on the software and ensure that it is able to allow data access, restriction, objection, and portability. If it is not working in light of these, it is important to call the HR software provider or change the entire software altogether. In case you are not using any HR software, it is important to uphold the same standards when it comes to handling personal data.
- Group Companies: A Group Company refers to a holding company or a subsidiary of the company or a subsidiary of a holding company. Parent companies receive reports from subsidiary companies which contain personal data. It is also important to consider where the Group Company is based. If it is based outside the EU, sharing of personal data calls for sufficient protection in place, for instance, a Privacy Shield that applies to companies in the US.
6 – Run a Data Collection Evaluation:
To ensure that your organization is GDPR compliant, ensure that the data collected is what is needed. Accumulating sensitive data without good enough reasons triggers alarm bells that may attract the regulatory bodies who monitor compliance. Impact assessments i.e Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) are mandatory while handling highly sensitive data. To minimize the subjectivity of the term ’sensitive’ some information that calls for Data Protection Impact Assessment (DPIA) includes but is not limited to:
- Religious views
- Ethnic origins and identities
- Political opinions
- Genetic data
- Biometric data
- Philosophical beliefs
- Health records
- Sexual orientations
- Location tracking
- New technology use
7 – Update Data Protection Policies and Employment Contracts
Ensure your data protection policies and employment contracts are up-to-date with the latest GDPR requirements. The areas to focus on are:
- Data breach reporting policy: In the case of a data breach, the Data Breach Commission (or relevant Data Breach Authority in the country in which you operate) must be contacted within a 72 hour window. The individual whose data was breached must also be notified.
- Subject access policy: Ensure you are able to meet subject access requests for data.
- Data retention policy: Determine how long to keep the data, after which it is securely destroyed.
- Privacy notice to employees: Develop a policy on the types of data you hold about your employees, the lawful ground for processing it, the purposes for which you will process it, and the employees’ rights with respect to their data.
8 – Include a double opt-in for all new email signups
An individual is only added to an email list if they consent twice. The first consent happens when the sign-up form is completed and the second consent happens when the user clicks the confirmation link provided in the email address, automatically sent after filling the form. GDPR does not state that it is mandatory, but it is highly recommended.
PlanetVerify presents users with T&Cs that must be accepted before the data collection process takes place. These T&Cs can be completely tailored to the company’s needs and, once accepted, remove the risk that a user could sue a company for unwarranted use of personal data.
As you develop your GDPR compliance plan, it is worth bearing the principles of GDPR in mind.They are:
- Integrity and confidentiality
- Storage limitation
- Purpose limitation
- Data minimization
- Lawfulness, fairness, and transparency
These principles are at the heart of GDPR and companies who fail to comply face fines of up to £17.5 million or 4% of your total worldwide annual turnover.