A step-by-step action plan for GDPR compliance

The beginning of February brings us to just over 3 months until the GDPR takes effect on May 25, 2018. At this point, it’s important to have a handle on what HR must do to come into compliance along with an action plan for getting there. To help you get that plan in order, we’ve outlined eight steps to take as you prepare for GDPR compliance (for more detailed guidance, don’t forget to download our GDPR for HR checklist when you’re done.)

1. Build your compliance task force

Protecting individuals’ private data requires a company-wide commitment. Include representatives from HR, IT, Compliance and any other teams that use or manage employee data. Meet regularly and have clearly defined tasks with specific owners and due dates.

2. Know your HR data

Once you have your team in place, it’s time to assess and understand the data your company manages. At a minimum, you likely have personal information for active employees, former colleagues and job seekers. You probably also have data on third parties, such as the spouses of employees. Make note of what the data is used for and how often it’s currently reviewed or updated.

3. Assess access

One potential challenge is figuring out who has access to protected, personal data. Once you understand who has access, consider how your company is securing that data, especially as it is transferred across countries.

 
4. Update privacy notices and data collection practices

You will want to be sure to review all of your privacy notices. They may need revision as the GDPR requires employers to clearly inform employees of their rights as well as how they use employee data. On a similar note, audit your data collection practices. Check to make sure your HR team is only collecting necessary personal information and has a process in place to delete personal data in accordance with retention schedules.

5. Plan how HR will respond to data requests

Individuals have new rights under the GDPR, such as the right to data portability and right to erasure. You’ll want to create or update processes for managing personal data requests. Consider under which circumstances data can be deleted upon request and when employees can give and remove consent to having their data processed.

6. Develop a data breach response plan

In the event of a security breach, the GDPR requires organizations to report the incident to the Data Protection Authority within 72 hours of becoming aware of the breach. Be sure to name someone responsible for investigating and containing a breach in the event one occurs. There are cases where data breaches don’t compromise individual data and may not need to be reported. But if employee data has been compromised, impacted individuals must be notified without undue delay.

Subcontractors are also responsible for informing companies in the event of a breach. Now is the time to connect with your subcontractors to ensure they have appropriate data breach response plans in place.

7. Determine whether your organization needs a Data Protection Officer

Consider whether you need a Data Protection Officer (DPO) to be compliant with the GDPR requirements. If so, begin recruiting and/or identifying an individual from your existing headcount. Alternatively, companies may consider hiring a third-party DPO.

8. Inform and train employees

Ensure colleagues know both the latest compliance practices and who to contact if they suspect data has been compromised. Incorporate compliance education into every new hire’s training and plan annual refresh sessions for all employees.
 

We know GDPR compliance can seem like a daunting initiative and hope this list helps break it down into manageable steps. For more guidance, download GDPR for HR: The Ultimate Compliance Checklist.