After months of being all over the news, GDPR is almost upon us, and for many businesses there is still a lot of work to be done to ensure that they are GDPR compliant – or face the potential fine of either €20 million or 2% of their global annual turnover, depending on which figure is highest.
The effects of GDPR on businesses will have the greatest impact on the HR department, which is in charge of handling the most personal data and information. Whilst traditionally this data has been stored on systems for an indefinite amount of time, HR departments will now have a responsibility to make sure that all personal or sensitive data, such as employee records, is stored only for the duration set out in their industry’s legal time periods. The new regulations will mean the department will have to implement new procedures to handle this information. This includes…
As soon as GDPR comes into force, only those who directly process absences will be able to see the reason for the absence, as it is classed as ‘special category data’ and needs additional protection due to its sensitive nature. If your current process for handling sick leave involves line managers being privy to this information, the procedure will either need to be changed or the employee will need to give explicit consent regarding who is able to see this information.
There’s already a lot your business will need to start considering when an employee hands in their resignation, but as soon as GDPR legislation comes into force you’ll also need to add looking at your off-boarding procedures. Just as a new employee will be on-boarded by being integrated into the business culture, an employee who is leaving will need to have their access revoked to ensure the safety of internal data. Their passwords will need to be disabled and access rights should be taken away as soon as they have left the business. The HR department will also need to ensure that the employee has all of the information they need – such as P60s – as all personal data will be deleted after a set time period.
Emergency contact details
When an HR department requests emergency contact details, they are technically collecting information on behalf of a third party without their consent, which is against the new regulations as an individual should know exactly where their personal information is being stored. To safeguard your business against this, an additional process such as collecting a signature from the next of kin to prove their consent should be introduced.
Data classification and distribution
When sending through reports containing personal information – such as appraisals, salary reviews or disciplinary procedures – your HR department should also include instructions to the recipient asking them to either delete it following a review of the information or to delete it by a certain date. It should also mention who has permission to access the documentation.
With just a few weeks left until GDPR arrives, it’s the perfect time for your HR department to have a spring clean of their data – ask them to gather all data from systems, emails and spreadsheets so that all company data is centralised and therefore easier to find.
Is your HR department GDPR-ready? Got any questions? Let us know.