With the deadline for GDPR compliance just over the brow of the hill, HR directors whose compasses aren’t fixed on the summit will need to focus and pick up the pace. According to a survey conducted by global human resources and payroll service provider SD Work, a hefty 46 percent of HR professionals are unaware of the GDPR.
If you’re concerned about hitting the 25thMay deadline for compliance, here’s some best practice guidance to help you.
First, you’ll need to perform a gap analysisto identify where your company is and where it needs to be. This will involve an internal audit review and a data mapping exercise across the business, including employee and candidate data. The Information Commissioner’s Office (ICO), the body responsible for GDPR enforcement, provides self-assessment toolkitsto help with this.
Then, develop an organisational chartidentifying roles and responsibilities.
You’ll need to think about whether or not to appoint a Data Protection Officer (DPO) responsible for your GDPR compliance. The GDPR stipulates that you must appoint a Data Protection Officer (DPO) if you:
- are a public authority
- carry out large-scale, systematic monitoring of individuals
- process special categories of data
- use data that relates to criminal convictions and offences.
If you’re not mandated to do so, you may choose to appoint a specialist anyway.
Your DPO will need to be independent – i.e. not connected with any data controllers or processors in the business, which inevitably includes HR – although this person can be appointed internally.
Make sure your GDPR team and HR professionals know where employee personal data is heldand why. Update your inventoryof personal data to help identify and classify it according to GDPR guidelines. Delete any datathat you can’t justify under lawful processing rules.
You’ll also need to review your HR systems. Technologyis a key factor to achieving GDPR compliance as it keeps you aligned with your rules and helps provide clear audit trails. Consider whether you need to invest in new technology or update your existing systems.
Review your current controls, policies and processesfor GDPR compliance, and develop a plan to address any gaps. GDPR compliance is a journey, so if you at least demonstrate intent and a plan with timelines, you may be spared the wrath of the ICO if you’re not 100% GDPR compliant come 25thMay 2018. It may, however, be a different story if you suffer a data breach, so don’t dally!
Communicate the changes that the new regulations bring to employees. For example, .Update your website or intranet and think about holding workshops, for example, so you can make it ‘real’ for employees and address any queries or concerns. Training is essential, so that employees are aware of their rights surrounding their personal data, as well as the importance of maintaining valid and reliable data.
You can find out about Me Learning’s online GDPR courses for HR and across the business: click here.