"Nobody has all the answers" and more real talk about GDPR

With the upcoming General Data Protection Regulation (GDPR) going into effect in late May, I was curious to learn from the experts at the International Privacy + Security Forum in Washington D.C. As expected, there was a lot of talk about the GDPR and three themes were common throughout the conference:

No one has all the answers

The most common theme was that while the GDPR is very detailed, there are some open questions that won’t be resolved before May 25.

In order for HR to prepare for the sections of the GDPR that are less clear, the experts recommended clearly documenting each decision relating to personal data (and the Article it relates to) as you come into compliance. In addition, they suggested incorporating ongoing employee data management procedures to ensure that documentation is regularly updated. This way, if a question comes up from regulators later on, you will be able to explain the rationale behind data decisions over time.

The GDPR is spreading

Parts of the regulation are being adopted by nations throughout the world. That said, even if a non-EU country incorporates the entire GDPR into their data protection policies, employers shouldn’t rely on a blanket application of the regulation to become internationally compliant as legal and cultural interpretations will vary.

While there is no perfect strategy, some employers are applying the GDPR as a baseline employee data management standard and adopting other national policies in certain locations as necessary. This allows businesses to efficiently process HR data, while allowing the flexibility to incorporate key national regulations. When deciding whether to incorporate separate national policies into employee data management practices look at the risk of non-compliance, the sensitivity of the data and the number of employees based in each location.

House your data in one place

One big surprise for legal experts? Not even the best IT teams know where all their company’s data is housed. An often-told story was discovering unexpected data sets with privacy ramifications. The only way employers were able to get an accurate picture was to meet with individuals and teams across the entire organization.

What can an employer do in the long term to better manage employee data? Centralize and maintain everything in one place. Keeping your data in one place will improve your team’s ability to comply with record retention regulations and make it much easier to secure personal data. In cases where centralization isn't possible, ensure that exceptions are clearly documented and readily available.

The privacy experts all expect the GDPR will continue to be a hot topic for international businesses in the next year. Make sure you're ready by understanding the implications for HR.  

If you’re struggling to manage your HR data, PeopleDoc has a great document management solution for all your HR records: