GDPR: 5 priorities from the perspective of HR and employee data

Regulation 2016/679 of the European Parliament and EU Council, also known as the General Data Protection Regulation (GDPR), will come into effect on 25th May 2018. It is a fundamental modification affecting all organizations processing personal data. They need to adjust their legal, IT, security and HR processes, which requires close co-operation between departments. What are the main things should HR prepare for?

Illustration

If companies don't implement adequate procedures or violate their obligations under GDPR, they will be subject to high fines. Irrespective of their size, they can get a fine of 4% of their turnover up to € 20 million.

According to the HR Review website, and given the the large scope of the GDPR, companies have to carry out an assessment of the impacts of internal data processing on personal data protection. Then they should develop a project plan that will involve representatives of more departments (primarily IT, HR, Finance, Sales and Marketing) to address all aspects of personal data processing in the company.

From the point of view of HR and employee personal data, the following points will be the most important in the project.

1. Employee consent to process personal data

Work contracts will need to be amended to include not only passive consent but a specific description of consent to process personal data. In cases involving more than the employment itself, an informed and active consent may be required.

2. Revision of related processes and policies

It will be necessary to revise not only the corporate data protection policy, but also other related documents and procedures such as internal procedures related to whistleblowing, code of conduct, electronic communications policy, IT policy and remote working rules.

3. Employee training

The GDPR requires employee training on how the new personal data protection rules are relevant for them in practice. Another task for HR will be to provide a comprehensive education program that will be updated regularly and available at all times.

4. Reporting personal data security incidents

Employee data are very likely to be affected in the case of corporate data leaks. Therefore, HR must be part of their companies' plan for reporting violations of GDPR rules. Each company will be required to report personal data security incidents to personal data protection authorities within 72 hours from the incident.

5. Requests for access to personal data

Under the new rules, companies will be required to handle employee requests for information about their personal data processed by the company, including who uses it  and how. The deadline for providing a written summary of this information is 1 month.

-kk-

Article source HRreview - UK’s leading HR news resource
Read more articles from HRreview