4 actions HR departments should take to prepare for GDPR

The new regulations mean companies need to update processes around the lifecycle of basic employee personal data, such as health information and family details.

GDPR will affect all businesses that store any aspect of personally identifiable information of all individuals, both customer and employee, living in the EU, whether or not that business has an office there.

A few years ago, Mark Cuban famously advised that data is the new gold. However, things have changed since the Cambridge Analytica and Facebook scandal as the public has become increasingly concerned with how companies are using their personal information.

As businesses prepare for the arrival of the General Data Protection Regulation (GDPR), leaders could be forgiven for thinking that data can become more of a liability than an asset – depending on its handling.

GDPR is a much-needed update to data protection that aims to strengthen and unify security for everyone in Europe. The legislation goes live on May 25, 2018 and will enforce all businesses to secure and manage the personal data of all individuals living within the European Union.

After years of gathering data, we are now entering a new era where trust and transparency are the new global currency. GDPR will affect all businesses that store any aspect of personally identifiable information of all individuals, both customer and employee, living in the EU, whether or not that business has an office there.

Related: The cost of complying with Europe’s new data law

The scope of GDPR includes employee data, so it directly affects HR departments. As a result, companies need to update processes around the lifecycle of basic employee personal data such as health information and family details.There are many resources surrounding the topic; some on which include free, user-friendly materials published by the EU governments in addition to those that act as “scaremongers” seeking to try to trick companies into paying for compliance help. What makes it most difficult for HR professionals is interpreting the rule, which was written broadly to address any type of personal data and applying it to employee data and HR practices, specifically. Compliance cannot be achieved overnight or ready for the big “go live” in May either. An entirely new way of working to understand where every aspect of data is obtained, how it is used, and where it is stored needs to be put in place. In short, this is not a job for the IT department alone, but rather requires a highly collaborative effort across the company. Silos will need to be broken down to efficiently unify all departments such as sales, marketing, finance, IT, and legal to understand the scale of how much data businesses are actively storing. But what do HR professionals need to know?

1. Create new or updated privacy policies

New privacy policies likely need to be created and implemented to reflect the new rights of employees. Equally, all existing policies should to be reviewed to determine which ones require updating to fall in line with GDPR’s transparency and accountability requirements.

In addition, a key difference between the current EU data rules and the GDPR is the emphasis on individual rights. Employees can now request that their data be completely erased at any time or request a copy of their data thats on file. HR teams need to be prepared to uphold these demands.

2. Revisit outdated processes

Reviewing HR processes, like onboarding a new employee, will help reveal what data you’re collecting that you don’t necessarily have a need for. Minimization is key to successful GDPR compliance; less is more. Implementing minimization will likely require you to update protocols and rethink processes that include the requesting of personal data from employees. For example, the onboarding and transfer of employees will need to be revisited to ensure that data collection practices meet GDPR requirements. You may also need to revisit your record retention policies and processes for ex-employees.

Ask your partners and vendors for their GDPR and compliance plan as risk is shared when they handle employee data on your behalf…

3. Allow data access only to those who really need it

The rise of shadow IT and sensitive data being increasingly stored in the public cloud combined with malware in cloud SaaS applications are the more significant concerns. CIOs and IT leaders now have the power to implement stronger cybersecurity and secure data-management policies that will protect personal data now and in the future. Security elements of the legislation demand that appropriate technical and organizational measures are taken to ensure all employee data is kept safe. HR’s responsibility is to ensure that only those who need access to personal data to do their job have access to it. Making sure that the right people have the appropriate access levels within a digital HR platform – or keys to the file cabinet – is the secret to successful compliance.

4. Centralize your employee file management

Learning about and documenting every element of employee data, where it is stored, and who has access is a process made much easier with centralized digital files. Going forward, a digital system makes it possible for HR to implement and internally audit procedures that will ultimately provide them with the visibility into compliance as well as potential vulnerabilities. GDPR and employee expectations means companies need to shift from a reactive to a proactive approach. A digital system is necessary to enable HR with visibility across their data, securely manage access to the data and implement at scale and policy changes. With GDPR, the stakes are increasing yet again for companies; HR now must think about collecting the least amount of data they need to get the job done and being completely transparent around its usage, rather than burying this information in complicated terms and conditions. Sure, this will dramatically change the way companies globally deal with EU citizens’ data, but it’s something to be embraced rather than feared. By showcasing implementation of these new data protection practices, a brand can actually build its reputation. While board members might fear the ramifications of the GDPR, we all know that the breach of company data is something far worse. For these reasons alone, GDPR should be seen as an opportunity for every employee to focus on protecting their personal data or at least understanding their responsibilities. And for employers, take this opportunity to become more open to a review of outdated practices and investing in and building technology that can complement this forward thinking approach. Data protection compliance is now an on-going priority and its beneficial for all to take seriously.


Arnaud Gouachon is chief legal and compliance officer at PeopleDoc