However, to ensure compliancy with the regulation, most organisations have some work to do. That work is certainly worth undertaking, as fines for breaching the regulations can be a crippling, especially for smaller organisations.
Even without the threat of fines, GDPR is well-worth complying with: the regulation rewards companies who have up-to-date HR data that is available to the right people, when they need it, from one single system.
GDPR from an individual’s point of view
In short, GDPR demands that every individual (think employees, partners, customers etc.) has the right to access all the personal data you have stored of them in an understandable format. Everyone also has the right to have their data permanently and fully deleted, the right to transfer their data to another system and the right to be notified of any data security breaches.
Complying with these regulations comes down to the integrity and availability of the systems you store HR data in. Every company should be able to ensure that their personal people data is stored in a system that connects fluently to other systems, this data should be maintained up-to-dated at all times, with access by only the right people, and be ready to provide an export of it whenever requested.
To be honest, most payroll or HR systems are not built to handle changing demands for HR data or even data transfers between different systems. Lack of versatility often results in organisations and individuals creating new files (like spreadsheets) or acquiring several systems for managing the personal information. Lack of connectivity results in having outdated data in several places. In these cases, providing an individual a record of all critical people data is strenuous if not impossible.
GDPR from an organisation’s point of view
GDPR essentially splits the responsibility of secure data management between the Controller (typically HR) and the Processor (a software supplier for example). The controller oversees the selection of compliant suppliers and provides suppliers with documented instructions on how to manage the data.
The supplier needs to guarantee that data remains encrypted and safe when stored and transferred (in motion and at rest), keep a record of any processing activities and appoint a Data Protection Officer (DPO) to monitor compliance with the regulations. The list of requirements for suppliers is long and many are struggling to comply with the strict security protocols and measures.
What should HR do next?
On my previous blog post I alluded to the positive sides of GDPR: companies will need to revise how they’ve stored and transferred data between numerous systems. It’s a welcome change that hopefully results in personal people data being stored in fewer systems with higher security. Besides security, such changes will likely mean less maintenance work for HR as well.
Consult our GPPR checklist for HR advice
The first step then is to start identifying all the locations where data is stored. Might be easier said than done, and that’s why we’ve created a handy GDPR checklist for HR with simple step-by-step questions.
Secondly, ensure that your Processors are compliant with GDPR. Start tracking down your suppliers and engage in conversations regarding the new regulations. Making sure that they are ISO certified is one indication that they are prepared.
Finally, you should also define the principles of how you manage data. Here as well, I highly recommend having a look at our checklist for advice.
This is the second post in our GDPR blog series where we discuss the upcoming General Data Protection Regulation. You can find the complete series here.