The General Data Protection Regulation (GDPR) will have a global impact when it comes into effect in May 2018. Legal and compliance departments in most medium and large organisations are working overtime to ensure GDPR-readiness. At Saba, we have been busy making sure that our solutions - and our internal processes and operations - are all compliant with the incoming legislation.
HR professionals have a solid background in data protection when it comes to personal data. Many of you are contributing to your organisation's efforts to achieve GDPR compliance. As the UK information Commissioner points out, it has always been good practice to adopt a 'privacy by design' approach, putting data privacy and security at the heart of HR solutions.
Now that the GDPR makes 'privacy by design' a legal requirement, HR managers are looking again at their solutions and making sure they are ready to cope.
Employees' new data rights under the GDPR
Employee or "Data Subject" rights under the new legislation create important considerations for HR professionals. Some of these entitlements include:
- The "right of erasure" or the "right to be forgotten"
- "Right of access"
- "Right to rectification"
- "Right to restriction of processing," and
- "Right to data portability"
The "Right to be forgotten" is one of the key elements here. The new policy could drive never-before-seen requests from both current and ex-employees for employers (and HR professionals) to find, share, and potentially and delete employee data upon request. Organisations will need to think very carefully about the implications of individuals asserting these rights and consider the processes they will have in place to support them.
In the meantime, it is super important to note that GDPR compliance activities should not be all about dotting your i's and crossing your t's, legally speaking. The GDPR offers a real opportunity for HR to drive through the change that many of you have wanted to see. Compliance with the GDPR will inevitably drive transparency and organisations will need to adapt to the requirement to share talent management data more openly with their workforce.
Getting your organization GDPR-ready
As the pace of change in business accelerates, it is vital that organisations have a flexible and responsive approach to talent management. All data collected on an employee could, potentially, become accessible by that employee at any time and as a result, data collection may need to become a more transparent process. While such a shift may seem like a burden to an organization, it does present an opportunity to transform traditionally closed processes into more meaningful and ongoing discussions around things like employee performance and development. As you review and redefine HR processes in the light of the GDPR, it is a real chance to transform talent management.
In the meantime, what should HR be doing to prepare for the GDPR right now? Here are some initial tips:
- Look at all the data you are holding on employees. Do you need to hold that data? What are the implications if an ex-employee asks you to delete their data?
- It is a good idea to have an organisation-wide GDPR champion to own the issue of GDPR compliance - but this need not be a compliance person. We think HR managers make good champions, putting to good use organisational knowledge and people and data management skills.
- HR pros should take the lead now on training delivery. The GDPR comes into force in a matter of months and it is essential that everyone in the organisation knows their compliance responsibilities - and what they should be doing differently - as soon as possible.
It is not yet entirely clear how GDPR compliance will be audited and how the authorities will check compliance - but in the meantime HR must keep its finger on the pulse of the latest GDPR developments. To help you, I worked together with my colleagues in the legal and security departments at Saba to create a white paper that provides guidance for HR pros called 'GDPR and HR: Understanding the impact of the GDPR on your talent strategy,' which you can download for free.
Have more questions about the GDPR?
If you have further questions about the GDPR and data security, why not ask an expert? Feel free to reach out to either of my colleagues (who helped with the white paper) or myself on LinkedIn. We'd love to help out in any way we can.