Preparing for the GDPR Regulation: immediately applicable measures in the HR department

25 April 2018

The HR department owns and processes sensitive data about your company’s employees, so there are several measures that you must apply as soon as possible to align with the GDPR requirements.

How much will take for you to align with it is difficult to predict, but the use of an HR software complying with the GDPR requirements will surely shorten the time needed and will simplify your entire alignment process. Please find out what measures you should apply now in order for the month of May 2018 to find you well prepared.


Data Protection Officer

Even if the GDPR does not oblige you to hire a Data Protection Officer, you should think seriously about working with a specialist in the field to help you meet the new requirements, to provide you with training, drafts of procedures and policies, to be a contact person regarding the authorised data protection authority, and to advise you in general on issues relating to the GDPR.

Next steps: 

You decide if you hire a DPO or you designate someone internally. If you choose someone within the company, you’d better find out the training needed, what role it will accomplish and ensure that it won’t conflict with other existing charges it must accomplish.


The consent received in employment contracts

According to the GDPR, consent to the processing of personal data, in the absence of justified reasons, must be provided freely, in an informed and explicit way. Many employers currently have permission to process data under the consent given by means of the employment contract, but there is little chance that this mechanism will be effective in the future.

What does justification mean? It may be the need to process certain data to measure performances or protect the interests of your employees. The most problematic are sensitive personal data, such as civil status, health, criminal record. From now on, you will justify the need to hold this information.

Next steps: 

You really need the audit of the personal data you have about your employees. You need to know what data you own and why you process them. If there is no legal justification to collect and process the data, then you will have to delete everything that means unnecessary data and personal data for which you do not have a valid consent.


Issuing privacy notices

Once GDPR requirements come into force, employees will be entitled to request detailed information about how you use their personal information. It is not enough just to justify why you process their personal data, but you must also provide the legal basis that allows you to do so. The information they provide to employees must be concise, transparent and easy to access.

Next steps: 

The most important thing is to outline clear and simple privacy notices for your employees. These notices must reach all your employees and you would rather do so as soon as possible before the entry into force of the GDPR.


Violation of personal data security

Along with the GDPR, any breach of personal data security must be reported to the data protection authority, and this must happen within 72 hours. In addition, if the breach has an effect on the rights and freedoms of the employee, then the employee must be informed without delay of the situation.

Next steps: 

You need to establish a procedure to immediately notify this time of violations. This plan could be set up and coordinated by the Data Protection Officer (DPO). Your employees should also be encouraged to report such situations which may be caused by a human error, such as a memory stick with employees’ data lost in a conference room. It is important to report back to avoid the penalties of the authorised data protection authority.


Access requests from targeted persons

Access requests from data subjects are somewhat controversial because they are often used by former employees or dissatisfied employees to collect information that arrives at the court in a lawsuit against the employer. According to GDPR, as an employer, you are required to respond to requests from employees or former employees within one month.

Next steps: 

The more requests you’ll have, the harder you will face them in the absence of a software system able to help you quickly identify the required data and their traceability. If you already use such an HR software, it’s good to assess whether the way it is set up at this time complies with your company’s new policies and procedures, that help you meet the GDPR requirements and what other functionalities would be an extra support for you. For example, you could give your employees transparent access to as much of their personal data as you own and process so that no such requests are needed.

The GDPR is the legal framework we need in a highly digitised world, and you need to apply these measures because beyond the big fines you risk receiving, the compliance with the new regulation helps you build a trust chain.

Do you want to know more about how to overcome the GDPR challenges?

Learn how an HR software can help you legally and safely manage the personal data of your employees and applicants. Get a free HR software DEMO now!