Transparency is a key element of the new General Data Protection Regulations (GDPR), which means that as an HR professional, you need to let your employees know about some key elements surrounding their personal data.
According to Denise Morrison, CEO of Campbell Soup and one of the Forbes “50 Most Powerful Women in Business”: “The single most important ingredient in the recipe for success is transparency - because transparency builds trust.”
You can use the GDPR as an opportunity to build trust with your employees. Here are ten things you should let them know:
What employee data you need to store and process
Under the GDPR, you can only store and process the minimal amount of employee data required for management purposes. Make sure your employees know what data is stored..
Why you need to process their data
You must allocate and log what personal employee data you want to process in line with the lawful reasons stipulated under the GDPR, such as consent or to fulfil your contractual obligations with them. You should share this information with employees.
Where you will store employee data
Advise employees where their data will be stored, for example on-site or with a cloud provider or other third party.
How you will process employee data
Again, you’ll need to advise employees if their data will be passed to third parties or moved outside of the EU for processing.
Who employees should contact to amend their personal data
This would usually be either an HR department or their line manager.
What employees should do if they have any objections to your data handling
You must set up a process for this and advise employees how to log any objections – for example if they want certain data deleted. It’s important you keep an audit of any objections and can demonstrate to the Information Commissioner’s Office (ICO), the GDPR regulatory body in the UK, that you have taken appropriate steps in response to the objection.
How employees can access their personal data
This, again, would usually be through HR.
What employees can do to prevent data breaches
It’s wise to share best practice data security tips with employees so that they’re aware of the risks and consequences of a data breach and, importantly, how to avoid them. After all, prevention is better than cure. At work, employees are representatives of the company, yet all too often are under-trained in data protection issues which could cost you dearly.
What employees should do if they identify a data breach
In case of a data breach, you must follow the ICO’s strict guidelines in setting up your own organisation’s reporting process. Let your employees know who they need to inform – for example their line manager or your Data Protection Officer (DPO), if you have one – and when.
HR is often the repository of company culture, so do your bit to build a culture of openness and shared responsibility, so that if you do encounter data problems, nobody is incentivised to brush them under the carpet!
What employees should do if a customer makes a Subject Access Request
Anyone on whom your organisation holds data has the right to ask you to provide them with a full, electronic file of that data. This is called a Subject Access Request.You need to make sure your employees are aware of the processes surrounding this and how it relates to them, even if it just means passing the request on to an appropriate professional.
To help yourHR department and other employees get up to speed with their responsibilities surrounding the GDPR, you can find help with Me Learning. We have established role and sector specific GDPR training packages online – to find out more click here.