In May 2018, The General Data Protection Regulation (GDPR) will replace the Data Protection Act (DPA). The spirit of the new regulations remains the same – to ensure that data is collected, processed and stored in a way in which is respectful and transparent to the person/organisation giving their data.
However, the scope and penalties for non-compliance differ dramatically from the DPA. The GDPR will consolidate regulations across the European Union (and yes we are still going ahead with them), and the liabilities for breach of the regulations has changed from £500,000 or 1% of turnover under the DPA to €20million or 4% of global business turnover under the new rules, meaning that non-compliance is a serious concern to any business.
Additionally, the jurisdiction of the regulations does not just apply to EU based organisations. The regulations also cover any organisations selling to or monitoring the behaviour of non-EU citizens, meaning that it enforcement can be bought upon global companies outside of the European Union.
One of the main areas of change is the requirement for accountability – the need not just to comply with the regulations, but to show how you have complied with them. This was not required under the Data Protection Act and will mean that businesses will need to step up to the mark when putting together processes to collect, store and manage personal data.
Some of the requirements for accountability include staff training, internal HR reviews, maintenance all of documentation, and internal audits of data processing activities.
For HR departments, the ramifications of the new requirements are likely to require a shift in policies and procedures when collecting personal data for both staff and potential applicants for job roles, maintaining data while staff are in employment, and storing data of former employees.
While changes to the collection of data may be straightforward to manage, the area of accountability is likely to give some HR managers or business partners sleepless nights! ‘How do we prove that we have complied with the regulations, did we properly lock up the filing cabinet, and how do I know that my assistant’s laptop with all of our sensitive data on it hasn’t been left on a train’ are all questions that I suspect a number of HR people ask themselves on a regular basis.
So how can HR professionals navigate through the rocky path to ensuring that they are compliant with the GDPR regulations? Let’s take a look at some of the major areas.
Consent to Collect Data
The changes on data collection will mean that consent has to be explicitly given – no more opt-out buttons on websites, or assumption that employees give assumed consent for you to collect their data.
This will present challenges when recruiting are current job notices robust enough to withstand scrutiny under the GDPR?
Also, for HR teams to comply with other regulations, a large amount of data is taken when new applicants start – passports are scanned, sensitive data is collected and a suite of paperwork is usually accrued.
Consider how you deal with the paper that builds up during a recruitment process – interview forms, new starter documents, application forms can all contain personal data. While retention of all of these can be necessary; to show fairness in the process, for example, should a complaint arise from a disgruntled candidate, this is all data which needs to be appropriately stored, and some HR systems do not allow for non-employee files. Consider using a document storage company, such as Storetec to retain these files for a suitable amount of time.
This major change will heavily impact on HR departments. The need to show compliance could see HR departments struggle with what is already a process-heavy business area.
While digital HR systems will help with logging, many companies still have a mixture of both online and paper systems – such as written appraisal processes, medical notes and older paper files, which are not digitalised.
Using a document scanning company will assist companies to cut down on what could be an expensive and resource-heavy exercise of getting all records digitised in order to show compliance – after all, would a paper file at the back of a drawer count as adequately accountable?
A company such as Storetec can take away the headache of trying to manually digitise paper files, by collecting, storing and digitising paper files – meaning that both the original paper files are stored in a secure monitored location, and all files are properly recorded so that you can ensure that all data is properly allocated to the correct person. The audit trail offered by outsourcing will assist companies in showing their compliance with the regulations.
If your company operates in multiple locations, consideration must be given to who’s data is stored where. With the implication being that companies operating outside of the EU can still fall foul of the legislation if they are storing data on subjects within the EU, or storing non-EU nationals data within the European Union.
Best practice is, of course, for companies to follow the regulations for all subjects, regardless of location, choosing to use a company offering cloud digital storage, alongside document storage can codify this process by ensuring that all data is stored in one secure location, protecting both paper and digital files. Security measures are generally much higher than you would find in the average office – with measures such as CCTV cameras, and temperature controls.
The Right to Be Forgotten
A significant change in the regulations includes ‘The Right to be Forgotten’. In effect, this means that a data subject can request that all data about them can be removed. This new right will present significant difficulties for employers where data is stored in a range of ways, including online systems, paper files, and cloud storage systems. At a practical level, HR departments must start thinking now how this can be achieved should an employee or former employee ask to have their details deleted.
Using a company such as Storetec makes this a much easier process. By consolidating all of your employee files into one cloud-based data system, there is no need to have to pull together files from different business areas to comply with a request or chase up business areas for specific documents.
Providers like this will grant you quick and easy access to employee files, making responding to a request much easier.
There is much to consider as we move from DPA to the GDPR, but a little outsourcing could save companies a lot of time, resource and money!