
A step-by-step action plan for GDPR compliance
Est. Read Time: 3 min.
The beginning of February brings us to just over 3 months until the GDPR takes effect on May 25, 2018. At this point, it’s important to have a handle on what HR must do to come into compliance along with an action plan for getting there. To help you get that plan in order, we’ve outlined eight steps to take as you prepare for GDPR compliance (for more detailed guidance, don’t forget to download our GDPR for HR checklist when you’re done.)
1. Build your compliance task force
Protecting individuals’ private data requires a company-wide commitment. Include representatives from HR, IT, Compliance and any other teams that use or manage employee data. Meet regularly and have clearly defined tasks with specific owners and due dates.
.png?width=584&height=146&name=Protecting%20individuals%E2%80%99%20private%20data%20requires%20a%20company-wide%20commitment.%20(1).png)
2. Know your HR data
Once you have your team in place, it’s time to assess and understand the data your company manages. At a minimum, you likely have personal information for active employees, former colleagues and job seekers. You probably also have data on third parties, such as the spouses of employees. Make note of what the data is used for and how often it’s currently reviewed or updated.
3. Assess access
One potential challenge is figuring out who has access to protected, personal data. Once you understand who has access, consider how your company is securing that data, especially as it is transferred across countries.
GDPR Refresher: Data transfers
- Personal data can be transferred within the European Economic Area and to third-party countries that have been approved as having adequate protections in place.
- If a third-party country does not meet the conditions of adequacy, businesses can transfer data internally if there are binding corporate rules (BCRs), and can transfer data to external processors if there are standard contractual clauses (SCCs) in place.
4. Update privacy notices and data collection practices
You will want to be sure to review all of your privacy notices. They may need revision as the GDPR requires employers to clearly inform employees of their rights as well as how they use employee data. On a similar note, audit your data collection practices. Check to make sure your HR team is only collecting necessary personal information and has a process in place to delete personal data in accordance with retention schedules.
5. Plan how HR will respond to data requests
Individuals have new rights under the GDPR, such as the right to data portability and right to erasure. You’ll want to create or update processes for managing personal data requests. Consider under which circumstances data can be deleted upon request and when employees can give and remove consent to having their data processed.
6. Develop a data breach response plan
In the event of a security breach, the GDPR requires organizations to report the incident to the Data Protection Authority within 72 hours of becoming aware of the breach. Be sure to name someone responsible for investigating and containing a breach in the event one occurs. There are cases where data breaches don’t compromise individual data and may not need to be reported. But if employee data has been compromised, impacted individuals must be notified without undue delay.
Subcontractors are also responsible for informing companies in the event of a breach. Now is the time to connect with your subcontractors to ensure they have appropriate data breach response plans in place.
7. Determine whether your organization needs a Data Protection Officer
Consider whether you need a Data Protection Officer (DPO) to be compliant with the GDPR requirements. If so, begin recruiting and/or identifying an individual from your existing headcount. Alternatively, companies may consider hiring a third-party DPO.
8. Inform and train employees
Ensure colleagues know both the latest compliance practices and who to contact if they suspect data has been compromised. Incorporate compliance education into every new hire’s training and plan annual refresh sessions for all employees.
We know GDPR compliance can seem like a daunting initiative and hope this list helps break it down into manageable steps. For more guidance, download GDPR for HR: The Ultimate Compliance Checklist.
You May Also Be Interested In:
Data Protection While Working from Home: Tips for a Remote Work Policy
If your office-based employees recently transitioned to working from home, now may be the perfect time to take a second look at the security tips included in your remote work policy. Not sure where to start? Sharing these best practices with your employees can help to make sure everyone is following the same standards, no matter where they work. Consider adding the three suggestions below to your policy (be sure to talk it over with your security team, first).
3 ways HR can increase employee data privacy awareness
Last week, organizations around the world celebrated Data Privacy Day, an annual event with the goal of increasing data protection awareness. But, what can HR do to increase awareness after Data Privacy Day is over? After all, protecting personal employee data isn’t just a one-day project. Here are three things HR teams can do now to put privacy first every day:
Why HR should care about accessible technology
In honor of Global Accessibility Awareness Day we’re explaining what accessibility means and why businesses and their HR leaders should pay attention to it. As the world becomes increasingly digital, you’ll surely encounter the need to evaluate new workplace software or tools. For HR especially, considering whether new technology is accessible can make a world of difference for the employee experience. Here’s a brief overview of what you need to know about accessibility:
About Robin Sendrow
Robin is the HR Compliance Assist Manager at PeopleDoc. She joined the team to help customers remain in compliance globally and easily navigate foreign rules and regulations through HR Compliance Assist. Previously, Robin managed client HR communications and provided outsourced HR support. She has a Masters in Psychological Counseling from Teachers College, Columbia University.