<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=127469634355496&amp;ev=PageView&amp;noscript=1">
Let's Talk

Let's Talk

A step-by-step action plan for GDPR compliance
Blog Feature Subscribe
Robin Sendrow

By: Robin Sendrow on February 8th, 2018

Print/Save as PDF

A step-by-step action plan for GDPR compliance

Compliance and Security

Est. Read Time: 3 min.

The beginning of February brings us to just over 3 months until the GDPR takes effect on May 25, 2018. At this point, it’s important to have a handle on what HR must do to come into compliance along with an action plan for getting there. To help you get that plan in order, we’ve outlined eight steps to take as you prepare for GDPR compliance (for more detailed guidance, don’t forget to download our GDPR for HR checklist when you’re done.)

1. Build your compliance task force

Protecting individuals’ private data requires a company-wide commitment. Include representatives from HR, IT, Compliance and any other teams that use or manage employee data. Meet regularly and have clearly defined tasks with specific owners and due dates.

Protecting individuals’ private data requires a company-wide commitment. (1)
2. Know your HR data

Once you have your team in place, it’s time to assess and understand the data your company manages. At a minimum, you likely have personal information for active employees, former colleagues and job seekers. You probably also have data on third parties, such as the spouses of employees. Make note of what the data is used for and how often it’s currently reviewed or updated.

 

3. Assess access

One potential challenge is figuring out who has access to protected, personal data. Once you understand who has access, consider how your company is securing that data, especially as it is transferred across countries.

A step-by-step plan for GDPR complianceGDPR Refresher: Data transfers

  • Personal data can be transferred within the European Economic Area and to third-party countries that have been approved as having adequate protections in place.
  • If a third-party country does not meet the conditions of adequacy, businesses can transfer data internally if there are binding corporate rules (BCRs), and can transfer data to external processors if there are standard contractual clauses (SCCs) in place.

 
4. Update privacy notices and data collection practices

You will want to be sure to review all of your privacy notices. They may need revision as the GDPR requires employers to clearly inform employees of their rights as well as how they use employee data. On a similar note, audit your data collection practices. Check to make sure your HR team is only collecting necessary personal information and has a process in place to delete personal data in accordance with retention schedules.

 

5. Plan how HR will respond to data requests

Individuals have new rights under the GDPR, such as the right to data portability and right to erasure. You’ll want to create or update processes for managing personal data requests. Consider under which circumstances data can be deleted upon request and when employees can give and remove consent to having their data processed.

 

6. Develop a data breach response plan

A step-by-step action plan for GDPR complianceIn the event of a security breach, the GDPR requires organizations to report the incident to the Data Protection Authority within 72 hours of becoming aware of the breach. Be sure to name someone responsible for investigating and containing a breach in the event one occurs. There are cases where data breaches don’t compromise individual data and may not need to be reported. But if employee data has been compromised, impacted individuals must be notified without undue delay.

Subcontractors are also responsible for informing companies in the event of a breach. Now is the time to connect with your subcontractors to ensure they have appropriate data breach response plans in place.

 

7. Determine whether your organization needs a Data Protection Officer

Consider whether you need a Data Protection Officer (DPO) to be compliant with the GDPR requirements. If so, begin recruiting and/or identifying an individual from your existing headcount. Alternatively, companies may consider hiring a third-party DPO.

 

8. Inform and train employees

Ensure colleagues know both the latest compliance practices and who to contact if they suspect data has been compromised. Incorporate compliance education into every new hire’s training and plan annual refresh sessions for all employees.
 

We know GDPR compliance can seem like a daunting initiative and hope this list helps break it down into manageable steps. For more guidance, download GDPR for HR: The Ultimate Compliance Checklist. 
Download the ultimate GDPR for HR checklist
Download the ultimate GDPR for HR checklist

You May Also Be Interested In:

3 ways HR can increase employee data privacy awareness

Last week, organizations around the world celebrated Data Privacy Day, an annual event with the goal of increasing data protection awareness. But, what can HR do to increase awareness after Data Privacy Day is over? After all, protecting personal employee data isn’t just a one-day project. Here are three things HR teams can do now to put privacy first every day:

Read More

Why HR should care about accessible technology

In honor of Global Accessibility Awareness Day we’re explaining what accessibility means and why businesses and their HR leaders should pay attention to it. As the world becomes increasingly digital, you’ll surely encounter the need to evaluate new workplace software or tools. For HR especially, considering whether new technology is accessible can make a world of difference for the employee experience. Here’s a brief overview of what you need to know about accessibility:  

Read More

How NCR stays on top of managing employee record retention guidelines

With 30,000 employees located across all 7 continents, Dana LaBarnes, Senior Director of Global HR Shared Services at NCR, has his work cut out for him. Consider how many different employee record retention guidelines his team must manage—and the fines associated with letting just one document slip through the cracks. It’s not a risk NCR (nor any company) can afford to take. To stay on top of the various document retention schedules for his geographically diverse employee population, Dana needed to find a digital solution. In this video, he explains how he made his decision:  

Read More

About Robin Sendrow

Robin is the HR Compliance Assist Manager at PeopleDoc. She joined the team to help customers remain in compliance globally and easily navigate foreign rules and regulations through HR Compliance Assist. Previously, Robin managed client HR communications and provided outsourced HR support. She has a Masters in Psychological Counseling from Teachers College, Columbia University.