It has now been a year since the introduction of the General Data Protection Regulations – or ‘GDPR’ as it is more commonly known. A key aim of the legislation was to provide greater control to individuals in relation to their personal data and how it was collected, retained and managed. One year on from the new legislation, what has really changed?
HR and GDPR
HR have always been the custodians of some of the most sensitive employee data. Most HR professionals are well aware of the responsibilities that holding this data brings. So in many respects, the GDPR was just more of what HR have always done.
What GDPR did do successfully was shine a fresh light on personal data. In the technology age, where electronic data about us is plentiful, the new legislation reminds people that they have rights about that data – and they can enforce them. In the six weeks following the introduction of GDPR the Information Commissioner’s Office reported a 160% rise in complaints about data breaches – over 6000 cases. Combined with high profile cases which feature the misuse of personal data and data breaches reported in the media, there’s now a climate of greater awareness amongst the general population about data security.
Data security at work
Another key aim of the GDPR was to ensure that data protection was built into ways of working – not an afterthought. The introduction of GDPR forced organisations to look again at the way they managed their data. A serious data breach could lead to both significant fines and reputation damage – and no organisation can afford to take these risks. Processes and procedures had to be re-examined. Policies were updated, mailing lists cleansed and mandatory e-learning rolled out. Of course, once the implementation work has taken place it is easy to sit back and consider that the work has been done. If only that were the case. Processes, training and procedures alone cannot ensure good practice, or eliminate risk of data breaches.
GDPR practices for HR
When it comes to their sensitive employee data, organisations and HR teams alike need to keep their eye on the ball. On the anniversary of the legislation taking effect, now is the time for organisations to re-visit their processes and procedures and check their approach to managing their employee data. In addition, here are five more things to do now:
- Check your policy, privacy notices and contracts of employment. Has anything changed in the last year that requires an update?
- Don’t forget about the paper you handle as well as electronic data. It’s no co-incidence that so many organisations are talking about going ‘paperless’. Check that your paper records are also necessary, up-to-date and secure.
- Remind your managers that the best place to store employees’ personal data is in your secure HR system – it presents much less risk than retaining paper records.
- Assess your potential data risks. So often data breaches are a result of human error. Where, within your data processes could things go wrong – and what can you do to prevent this?
- Remind your employees about their responsibilities. Refresh your data protection training or consider a reminder communication campaign around the office. Keep data security forefront in people’s minds.
Undertake these activities regularly; remember – complying with GDPR is an ongoing process, not a one-off event!
About the author
Gemma Dale is an experienced HR Director, a Chartered Fellow of the CIPD. She is also a regular speaker and writer on a variety of HR topics, including employee engagement and social media. She currently runs The Work Consultancy, where she writes about how to work towards getting the most effective people policies for your organisation.