If companies don't implement adequate procedures or violate their obligations under GDPR, they will be subject to high fines. Irrespective of their size, they can get a fine of 4% of their turnover up to € 20 million.
According to the HR Review website, and given the the large scope of the GDPR, companies have to carry out an assessment of the impacts of internal data processing on personal data protection. Then they should develop a project plan that will involve representatives of more departments (primarily IT, HR, Finance, Sales and Marketing) to address all aspects of personal data processing in the company.
From the point of view of HR and employee personal data, the following points will be the most important in the project.
1. Employee consent to process personal data
Work contracts will need to be amended to include not only passive consent but a specific description of consent to process personal data. In cases involving more than the employment itself, an informed and active consent may be required.
2. Revision of related processes and policies
It will be necessary to revise not only the corporate data protection policy, but also other related documents and procedures such as internal procedures related to whistleblowing, code of conduct, electronic communications policy, IT policy and remote working rules.
3. Employee training
The GDPR requires employee training on how the new personal data protection rules are relevant for them in practice. Another task for HR will be to provide a comprehensive education program that will be updated regularly and available at all times.
4. Reporting personal data security incidents
Employee data are very likely to be affected in the case of corporate data leaks. Therefore, HR must be part of their companies' plan for reporting violations of GDPR rules. Each company will be required to report personal data security incidents to personal data protection authorities within 72 hours from the incident.
5. Requests for access to personal data
Under the new rules, companies will be required to handle employee requests for information about their personal data processed by the company, including who uses it and how. The deadline for providing a written summary of this information is 1 month.
-kk-