HR teams have been working towards getting their processes ready to comply with the new data protection laws from 25 May 2018, when the GDPR comes into force, and while some businesses will be ready for the GDPR, many will not. For many businesses, this date will represent the early stages of a long compliance journey. So what should HR be doing now.
Keeping staff informed
By 25 May, staff should receive a privacy notice which sets out information about their personal data, including the purposes and legal basis for the data processing. Going forwards, HR should ensure processes are in place so that if any changes are made staff are informed about this in an updated privacy notice.
Preparing and updating HR policies and procedures
In addition to updating employment contracts, consultancy agreements and the data protection policies, some HR procedures will need updating - for example those relating to recruitment and obtaining references and medical reports.
Data security and training
To reduce the risk of a data breach, it is important to educate staff about their data protection and security obligations – this also demonstrates that you have taken steps to ensure that staff process personal data lawfully.
Data cleansing
Data cleansing systems must be in place to ensure that HR and all line managers etc who process staff personal data comply with the data retention policy. All staff personal data must be securely deleted/destroyed, or de-personalised, if there is no lawful basis for processing it.
Demonstrating compliance with data protection principles
Employers must be able to demonstrate compliance, if challenged by the ICO. This means that, throughout the design stage of any policy, process, product or service, employers must take data protection risks.
GDPR AFTER MAY 25TH
17.04.2018
Posted by:
Morgan Spencer