Every individual within the EU has clear, reasonable rights. We have the right to access our own data, the right to correct it, the right to have it with us for other purposes and the right to remove it. All good here.
In practise though, are we as businesses ready? Many organisations use payroll as master data system and support that with Excel and Word documents. Some data is also managed with ERP and IT systems. To be compliant in time, start by asking your organisation a couple of simple questions:
- When asked, can we deliver all data about a person in reasonable time?
- When asked, can we remove all that data?
- When asked, can we give a person all the data in xml or such format?
If it’s all thumbs up so far, let’s continue by asking if we know, where all data about a person is stored, why is it stored, what do we use it for, who has access to it, where is it backed up and how are we keeping that data up-to-date, including backups?
What do you need to be HR GDPR compliant?
For HR to be compliant, the basic features needed from systems and processes are connectivity, configurable APIs and flexible user rights management. To support this, we need an HR system that can handle our content without the need for Excel. And all that data must be available to other systems with APIs or other connectors without using emails.
We cannot open data to anyone, if the dataset contains any information that is not actually needed for that purpose. For example, a home address should not be opened to IT users or ERP integrations, if that information is not really required. That information also should not be given to any user without strong arguments. Tough in many systems, but makes sense in real life. Unfortunately, legacy technology is no longer a valid argument.
The simple solution is to restrict HR, but that just doesn’t make any sense.
How should HR prepare for 2018?
We still have time before GDPR, about one year.
We know the wording in the legislation and the basic instructions and guidelines from authorities, even if details are still changing. We are getting new instructions all the time and next year we’ll start to get preliminary rulings.
All this means that GDPR is a marathon. We should have started our compliance project by now, and we currently have 12 months to turn that project into a continuous process.
Have a look at the HR GDPR checklist for basics. Once you have the basics in order, the checklist is a good foundation for continuous improvement and compliance. It also enables you to focus on real HR topics. Compliance alone is not enough for good HR, but it is a good start. Compliance with GDPR means having up-to-date data available for those who need it. And that’s why I love GDPR.
This is the first post in our GDPR blog series where we discuss the upcoming General Data Protection Regulation. You can find the complete series here.