GDPR. The four-letter initialism that’s looming over every business scrambling to ensure compliance come the deadline. GDPR will affect companies across the globe who hold, or will hold, any data on EU and UK persons.
Knowledge of GDPR, therefore, is vital for an effective global people data management strategy.
On May 25th 2018, GDPR will replace the UK’s Data Protection Act (DPA).
It’s meant to be a good thing—a protection strategy for all EU residents’ personal data. It’s about time, too, since the old legislation is out of touch with our always-evolving Digital Age.
The new legislation comes with GDPR data subject rights that will change not only the way companies have to behave with data, but how employees and anyone else your company holds data on can interact with the data you possess.
Data subject rights:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights regarding automated decision making and
However, despite GDPR’s good intentions, businesses across the global are making haste to hire data protection officers, compliance consultants, and anyone who can interpret the complicated and ambiguous legal text.
Is it a serious piece of legislation? Indeed it is. The GDPR penalties could cripple an SME and cause a significant inconvenience to colossal multinationals. If you’re found guilty of breaching GDPR you face a fine of up to €20 million or 4% of your annual worldwide turnover!
A November 2017 Deloitte GDPR survey across organisations and industry sectors in EMEA learned that only 15% of those surveyed expected to be fully compliant by the May 2018 deadline.
33% of businesses had yet to determine what new personnel they would require to ensure their compliance with the new laws both in time for the deadline and for a sustainable strategy thereafter; only 38% of data controllers were able to boast that they expected to have completed a full review of all held data by the deadline.
Here are the personal data processing principles of GDPR Article 5. All personal data should be:
- Processed lawfully, fairly and in a transparent manner.
- Collected for specific and legitimate purposes. It cannot be used for anything other than these stated purposes.
- Relevant and limited to whatever the requirements are for which they are processed.
- Accurate and, where necessary, kept up to date. Any inaccuracies must be fixed or removed without undue delay.
- Stored for only as long as is required, as specified in the records retention policy.
- Secured with an appropriate security solution, which should protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Deloitte’s survey on GDPR found that some companies have already spent over €5 million on compliance, and others less than €100,000.
Indeed, in a 2017 Privacy Governance Report, the International Association of Privacy Professionals (IAPP) and Ernest & Young (EY) found that Fortune’s Global 500 companies’ investment on GDPR compliance would reach €7.8 billion.
Divide this €7.8 billion between the 500 and the average expenditure is €15.6 million per company.
This is a gargantuan difference when compared with “less than €100,000” and highlights both the diverse approaches taken and the vast disparity in resources that companies can burn to become compliant.
In addition to the cost (and in fact, a cause of the cost), the size of a company can affect the manpower and time spent ensuring compliance with the forthcoming legislation.
However, aren’t there any universal practices you could be enacting?
In fact, yes there are. Moreover, they do not have to cost millions.
Review all of the employee data that you hold.
From recruitment of an employee to the final day of their contract in your employment, you will have acquired more data on them than you might realise. Their bank details, salary history, everything on the CV that they sent to you, their references, a copy of their passport photo, their address, contact details, date of birth—to name but a few.
Document all of the personal data you hold. Make a clear accompanying note of where the data came from (its source) and whom you’ve shared it with to date.
Ensure you have a byte-proof system in place for a smooth transition and a sustainable future
GDPR will reshape how you can store, manage, and process data about your employees (as well as customers and anyone else too). Moreover, GDPR places the responsibility in the hands of you, the employer or HR practitioner, to decide whether you have the lawful right to store a piece of data, or whether you should remove said datum.
Since many large organisations use in-house systems to manage all things HR for their business, responsibility rests heavily on the shoulders of HR practitioners and IT departments to ensure that whatever system is used is fully compliant with the incoming GDRP.
In keeping with the incoming ‘right to be forgotten’, a business’s system now needs to give employees the power to delete the data you hold on them if they so wish.
For SMEs, enlisting the assistance of HR software could sooth your GDPR stress. HR software will process the data (in a compliant manner) that you store, while you remain the data controller.
Of course, if you plan to explore the option of outsourced HR software, do your research on which software companies offer a product that would benefit the size of your company. Software that is custom-built for an SME might not be a good fit for a large-scale organisation.
Consider how you are managing consent
Explicit consent is the buzz phrase for GDPR right now. Just presuming implied consent because employees, customers, or clients are not sending you requests for their data to be deleted is no longer good enough.
Create a form for your employees to opt-in. Circulate the form. However, before you do this, investigate how you have asked for data to date, how you have recorded data, and how you have managed consent in the past.
Review your privacy notice
A privacy notice should denote your identity. It should also state how you intend to use information (data) that you are collecting, and for how long you plan to hold it. Does yours do this already?
Employee rights—voice them loud and clear
What better way for you to be transparent with your staff than to clarify their rights under GDPR? While many rights were brought forward from the Data Protection Act, there are updates.
Employees can refuse to let you process their personal information, for example. In certain circumstances they can even request that you delete their data—reasons include if your justification for collecting the data is no longer valid (again, rather open to interpretation), or they withdraw their consent.
The Information Commissioner has created guidance on how to obtain consent.
While GDPR might seem like a swamp of fiddly details about intangible data, you will benefit your business—and your employees—by ensuring that you are compliant come May 25th.
For more information about the specific rights and duties under the GDPR, read our article on how the GDPR will impact HR data.