Organizations and HR departments should understand the implications of the General Data Protection Regulation Act (GDPR) and how these new rules apply to their day to day activities. In most cases HR departments are responsible for effecting major changes and policies within an organization hence they must ensure that they are GDPR compliant as failure to do this will lead to hefty fines that may pose a significant risk to their organizations. This alone is enough to make HR departments comply with these rules.
The GDPR Act basically increases the rights of employees which include the following:
- Right to information
- Right to access and rectify data
- Right to be forgotten
The right to information requires employers to provide adequate information as to why and how HR related employees personal data is managed or processed. Employees also have the right to access their personal data data as well as have inaccurate or misleading data rectified. The right to be forgotten implies that employees are entitled to have their personal data held by their employer erased in specific circumstances. Employers or data controllers must obtain consent from employees before processing their personal data in which case the consent should be active and unequivocal as opposed to a mere passive acceptance. It is important to note that this consent can be revoked by the individual whenever they deem it fit which may further complicate matters.
Organizations should keep a detailed log of when an individual gives or rescinds consent. GDPR compliance will require HR departments to work closely with other stakeholders in the business such as legal and IT. A Data Breach Response plan is also necessary to effectively deal with a data breach in the unfortunate event that it happens. When a breach occurs, all concerned individuals should be notified promptly to avoid risking their rights or freedoms.
HR departments work with many forms of data that include data from current, former as well as prospective employees. While most information will often come electronically via emailed documents and online forms, paper documents are also common. It is therefore important to dispose off non-compliant paperwork as more and more organizations are moving away from paper-based documents or hard copies. The GDPR Act requires that organizations abandon the old fashioned ways of working with piles of paper that would traditionally fill cabinets and adopt technological solutions such as digital files.
Organizations need to identify the lawful basis for processing their data covered under the GDPR namely:
- Legitimate interests
- Vital interests
- Legal obligation
- Public task
It is also imperative to train employees on how to handle personal data which mitigates legal, financial as well as reputational risks. Training courses and regular refresher events will ensure that standards are maintained at all times. Staff as well as new recruits will also know how to react to a data breach and how to deal with unauthorized access to data including the procedures to follow in every scenario. The organization should also decide whether to appoint a Data Protection Officer and if so, the person should be recruited and adequately trained as this is a good step towards GDPR compliance.