Social media is flooded with scary articles about the general data protection regulation (GDPR), lots of statistics and conflicting information but very little in terms of cold, hard facts. As we enter the final months before the new regulations come into force Julie Lock, service development director at MHR, looks at what GDPR is and what organisations should be doing from a HR perspective to ensure compliance
Question: What is the general data protection regulation (GDPR)?
Answer: It’s an EU law – but you will still need to comply after Britain’s departure from the EU.
Let’s de-bunk the myth that, because we are exiting the EU, we do not need to be GDPR-compliant – because we do. The Queen referred to GDPR in her speech on June 21, 2017, stating: “To implement the general data protection regulation and the new Directive which applies to law enforcement data processing, meeting our obligations while we remain an EU member state and helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU.”
On May 25, 2018, GDPR will apply to any company based in the EU and/or processing the personal data of EU citizens, leaving very few companies exempt from the obligations of this new regulation.
What questions should you and your HR team be asking?
HR hold and manage endless amounts of employee information and personal data. For GDPR readiness, organisations firstly need to assess if all the information held is necessary. There are a few questions to consider:
- Do you know what personal data you process?
- What are your legal grounds for processing the data?
- How is it secured?
- How long do you keep it for?
- What happens if an employee wants to invoke their ‘right to be forgotten’ – what is your plan?
- How do you inform employees why you need specific information and what you are going to do with it?
- Can you prove that you have not breached an individual’s information?
- Is it sensitive?
If you’re not asking yourself these questions yet, now is the time to start.
Do you need a data privacy officer?
Public authorities and private companies involved in regular monitoring or large-scale processing of sensitive data are required to appoint a data privacy officer (DPO). The DPO’s task is to inform and advise employees handling data on GDPR obligations, monitor compliance and co-operate with the data protection authority (ICO in the UK).
Data privacy experts are predicting a Europe-wide shortage of suitably skilled DPOs by the time the regulations come into force in May 2018. If you feel your organisation would benefit from employing a DPO, and you have yet to recruit one, you need to act fast.
What about the data itself?
Finally, you need to understand what personal data you process, why you process it, how and who processes it and, importantly, the legal basis used to qualify the processing. You must provide adequate GDPR training to staff handling or managing personal data so they can recognise and address data breaches, carry out a maturity audit and implement recommendations.
You also need to assess if you have:
- Clear, concise and adequate use of privacy notices
- A breach-management strategy which meets the new compulsory reporting conditions
- The ability to fulfil data subject rights including access to, and management of, the withdrawal of consent
- Data processing maps to demonstrate and manage privacy risk.
Is your school ready?
With so many conflicting reports in the media about GDPR, MHR recently carried out a survey of heads of HR, payroll managers, IT and financial directors to determine GDPR readiness.
The findings revealed that 68% of respondents had not yet received any GDPR awareness training. A further 53% have yet to access and appoint a DPO; given the predicted shortage of suitable candidates for this role, the longer organisations leave it to recruit, the harder the challenge will become for HR.
What does this mean, in short?
To summarise, there’s still a fair amount of work to be done by organisations to ensure they are GDPR-compliant. A maturity audit, in the first instance, will help to identify areas of concern and define required process changes.
Organisations also need to equip staff about GDPR through adequate training – understanding that the highest percentage of breaches reported tend to be caused by human error. The clock is ticking so you should be acting now.