With just three months to go until the General Data Protection Regulations (GDPR) become enforceable, you might be wondering if there’s anything you need to do about the personal data you hold on your employees.
The answer is: Yes. Read on to find out what you should be doing.
What is GDPR?
GDPR is a European regulation, which becomes enforceable in the UK from 25 May 2018, regardless of Brexit. The new legislation updates current data protection laws, which date back some 20 years.
How will it affect the HR side of my business?
The new legislation aims to give control back to individuals over their personal data. If you employ staff, you’ll be holding a fair amount of information about them. But do you know exactly what information you have? Do you hold it securely? Are you holding on to information you don’t need any more? Would you be able to tell an employee what data you hold about them if they were to ask? And would you be able to produce internal records of data processing operations for the Information Commissioner’s Office should it request them?
If you’re not in a position to do any of this at the moment, you’ll need to audit your HR data to show that you know where it all is and whether you’re complying with the new Regulations.
Conducting an HR data audit
Firstly, you’ll need to consider who will be responsible for data protection compliance in your business and ensure that they are adequately trained in their responsibilities.
Who do you hold HR data on?
The next step is to make a list of who you hold HR records on in your organisation. Is it just those on the payroll, or do you use freelancers, contractors, volunteers and/or interns? You will also need to consider former employees and job applicants. What information, if any, do you hold on them? Should you still be in possession of CVs of previous unsuccessful applicants or freelancers that you no longer use? Now is the ideal time to have a clear out!
What information do you have on them?
Once you have defined who you are including in your audit, then you can begin to record what information you have on them. This includes, naturally, recruitment records, personnel files and payroll details but can also include things recorded electronically like CCTV footage and email systems.
Don’t forget any additional records you might have relating to travel, expenses, attendance, performance, training, disciplinary, accidents or responses to any staff surveys you may have carried out. You should also identify which (if any) records you have that contain sensitive personal data according to the ICO definition.
Where is this data kept?
It is important to know where and how these records are kept. Are they paper-based and/or electronic? Are they backed up anywhere or stored externally, such as at a third party payroll provider? Does this data travel beyond Europe? If so, you will need to make additional checks.
Recording your processing activities
Once you’ve identified whom, what and where all of your HR data is kept, you then have to document it all, along with details on how this personal data is processed. You also need to record why you have this information, the source of it and that you have consent to keep it.
It’s important to document who has access to this data and why, and to specify time limits for keeping the data. You should also detail the security measures that you take to keep the data safe, and what data, if any, is shared with third parties. If it is used in automated decision-making (such as eligibility for promotion), this should also be noted.
You can keep this information either in a spreadsheet or, if there are complex data processes involved, in a purpose-built database, usually termed a ‘data register’. You might want to consider getting a third-party data auditor in to help you if this is a complex job.
The ICO has issued a checklist on what documentation is required under GDPR.
Deleting old records
The Data Protection Act requires you to ensure you only collect the personal data you need, and no more. So if you have personal data on file that is no longer needed, it should be deleted in a secure way, or ‘put beyond use’, as specified in ICO guidance (PDF).
Keeping up to date
Once you have these records in place, you’ll need to make sure they’re kept updated with any changes in personnel.
Update your policies and staff processes
Lastly, you might want to review your organisation’s policies and processes, particularly any that relate to data protection, to ensure they’re in line with the new legislation.
The above information is a guide to get you started, but is not comprehensive. You will need to refer to the checklists on the Information Commissioner’s website to ensure you are complying fully with the requirements of GDPR.
Help is at hand
If all this sounds daunting, you might want to consider getting in professional help. People Puzzles can not only help you audit your current employee data but also future proof your people processes to ensure you integrate the principle of ‘privacy by design’ into all of your operational and strategic HR practices. Please drop us an email if you would like further advice.