If you employ anyone, whether full-time, part-time or as a freelancer, you’ll likely have either a HR department or a member of staff who performs HR functions and they’ll have to deal with some very personal information from addresses to medical histories and bank details, etc. You’ll already be familiar with what your HR people need to do to comply with the current Data Protection Act, but when the new General Data Protection Regulation(GDPR) is introduced in May 2018, your current standards may not be enough.
The penalty for not complying with GDPR is severe, with a maximum fine of up to 20 million Euros or 4% of your global turnover, so this really isn’t something you can ignore. If you haven’t yet started to prepare for the changes, start now! There’s work to do before May and so ideally you should be looking to prepare now.
HR can find that their information comes into the department in a variety of ways, with applications online, emailed CVs, posted paper CVs and even CVs handed over in person by other members of staff. With GDPR comes a requirement to secure all of your data and protect it against hacking and data breaches. So what processes do you have in place to avoid any breaches? Should a data breach occur, you’ll have only 72 hours once you find out about it to notify any individuals that are affected. Therefore, your employees should be trained on GDPR, breaches & reporting, you need to create a reporting culture.
Protecting individual’s data
GDPR is all about protecting the rights of the individual and ensuring that any data stored is stored for the minimum amount of time possible, so that makes it difficult when you want to store a pool of talented candidates for the next time a vacancy comes up. You can’t just keep old CVs from unsuccessful candidates for next time without the individual’s consent, like you might have before. Therefore, if you do want to keep an applicant’s CV, you need to ensure you have their consent, verbal consent is not acceptable.
While the HR and Payroll departments have a legal obligation to hold onto data for various lengths of time, depending on the document and legislation. This means you’ll need to implement some sort of document control. One of the best things you can do on the information you hold is to audit your files and implement a document control process on current and previous employees.
Everyone also has the right to request their information to check it and to have it amended if it’s not correct, you now have to be extremely clear about what data is collected, why, and what it is used for. Under GDPR, you must have consent to collect data, you must only use it for what you say you’re going to use it for.
One other major area to consider is any third party applications or companies that you use. Do you hire a bookkeeper or use email software, such as GetResponse? Do you store data outside of the business premises, perhaps in the cloud? You will need to ensure that all of these outside companies also comply with GDPR.
There’s a lot to consider with GDPR and your first step should be to audit your policies and procedures for data collection and retention, look at what data you currently hold, how and where. From there you’ll be able to see what’s needed to ensure compliance.
Certain changes may well have to be made but a lot of them were already required under the current Data Protection Actand so you may find that you only have to change and update a small amount of procedures but when implemented properly your business will benefit by gaining increased trust from your employees and clients.
Please do contact us here at Farsight HR if you need any further help or advice on how the new GDPR regulations will affect your business and the relevant actions you need to take.