In an era of globalization where an array of business activities are performed digitally, personal information of an individual is processed in diverse ways, for many reasons, and in several places, obtaining consent from individuals before processing their personal information is crucial to ensure their privacy. This is why privacy regulation policies such as General Data Protection and Regulation (GDPR) make it mandatory to do so. With GDPR coming into place it has proved to be one of the most critical milestones of human evolution in terms of organization maintaining transparency and creating true relationships with their clients. All internationally served companies across the globe are extensively aligning themselves to be GDPR compliant. Therefore, it is mandatory for the HR team in an organization to get its checkpoints done, because ultimately it is the HR team who is the intermediary between the legal breakthrough and the company policy changes.
Here is a checklist for the HR team before going live with the full-fledged GDPR compliance suite across the company.
Build a task force:
GDPR is a company-wide initiative. Therefore, it makes it more important to form a committee of HR professionals, the legal advisor of the organization, IT, Security and other important professionals to meet on a regular basis with clearly defined tasks and strict due dates.
Before even performing an audit, the first thing that an HR should do is to create awareness among the employees on how significant GDPR is and why it is so vital to ensure GDPR compliance. It requires extensive cooperation from all employees in the organization. Ensure everyone knows the latest compliance practices and who to contact if they suspect a breach. Incorporate compliance education into every new-hire’s training and plan annual refresher training for all employees.
Perform Data Audit:
GDPR primarily is about how you handle personal information be it internally or externally across your entire organization. To successfully align your organization you need to perform and audit all the systems and practices that handle personally identifiable information. It is often recommended for HR professionals to take legal help from the company’s advisor in performing such audits.
It is also important to audit the different data processes, and assess their related risk, to ensure that access, storage, and processing of this sensitive data is carefully governed and controlled under other data protection regulations apart from GDPR such as ISO 27001/9001, SOC 2 Type 1, SOC 2 Type 2, etc.
Review all personally identifiable information:
Assess and understand all PII (personal identifiable information) that you own. This includes data on-payroll, off-payroll, former employees, job seekers and 3rd parties. As an HR professional it is always recommended to ask yourself first, is this data really required to be maintained in the company’s database system. Any such data which is not found to be critical for the organization should be erased from the database right at the moment.
Access to PII:
Take consent of everyone both internally and externally whoever has access to PII. Then, determine how PII is secured, especially as it’s transferred across countries. For internal employees, be sure that the right individuals and roles have the right level of access. There’s a process for updating access as roles change for external businesses or subcontractors, consider which entities need access to PII, how they plan to use PII, whether their practices will be GDPR compliant and what are the methods they use to protect the PII.
GDPR compliance may require changes to your existing privacy policies and processes. As you review them, be sure to inform individuals of how their data is used (even if it is required by employment laws). It is highly recommended to document an adequate legal document for processing HR data. Form an outline and be aware of with the technical and organizational measures taken to ensure data security.
Determine and document data handle requests:
GDPR gives individuals certain rights regarding how their data is used. To honor these rights, you’ll need to consider, how to grant individuals access to their data, how to respond to requests to correct personal data, under what conditions can personal data be deleted upon request, under what conditions can individuals give and remove consent to have their data processed.
Develop a data breach response program:
It is important to assign responsibility for investigating, containing and reporting breaches and prepare to document any breaches with the details, impact, and actions taken to remediate the breach. There shouldn’t be any compromise on an individual’s personal data and therefore it is recommended to report the breach to the Data Protection Authority within 72 hours and notify the individual without undue delay.
Appoint a Data Protection Officer (DPO):
If your company processes personal data as part of its core product or service, you must appoint a DPO who’s responsible for ensuring GDPR compliance and protecting PII. If this applies, begin recruiting, identify an individual from your existing headcount, or consider hiring a third-party DPO.
Notify job applicants about what you’re doing:
It is important to notify the on-going job applicants about the policy changes and the database maintenance system that you follow. Transparency is the key to a true relationship. It is necessary to maintain a healthy relationship with everyone in and across the company, this helps in building trust and credibility for the organization as well.
Use of secure (GDPR Compliant) tools:
When you say that you are GDPR compliant it means to each and every aspect of it. Which also means taking care of the employee data in a safer zone. This requires using 3rd party tools which are also compliant to the same law. HR also needs to use a strong authentication and access control mechanism by limiting the access to personal data. To add another security layer, conduct audit and review all of your current HR data storage processes on a regular basis.
Darwinbox with features such as multi-tenant deployment for data segregation, strong encryption schemes to protect the backup data, effective Identity Management [IdM] and Sign-on Processes, and Insider Threat mitigation, is one among many few HR Tech companies in India, to be GDPR compliant. Here’s a complete document on data protection and privacy followed by Darwinbox.
Having a holistic approach:
Most companies assume that GDPR is a concern only for the IT department. But having a holistic approach by involving all departments through a cross-functional team is a better way to ensure GDPR compliance. To see the funnel on a wider perspective marketing is the first department to collect personal data from prospects and then it is outbound and inside sales followed by the sales and success team. The HR department also uses personal data of employees and on-going hiring prospects.
To be GDPR compliant is seen as the most cumbersome task by many but it’s only aim is to stress on the responsible collection of data. For companies that are still struggling to be compliant, the HR and data management teams together must start creating a specific checklist on how to begin the compliance process. It is vital to develop a periodic assessment of security measures of personal data used in HR. And if you are still not aligned to GDPR, it’s time to save yourself from paying 4% of your annual global turnover or 20 million euros, whichever goes highest.