The General Data Protection Regulation (GDPR) is at the forefront of a lot of organisations’ minds at present, because the new regulations will completely change how they can handle personal data.
As it comes into effect in May 2018, many companies are beginning to prepare for the changes – but without an HR system, they may be missing one key factor towards success, a HR software that can deliver functional compliance, process driven workflows in line with UK employment law and guidance material, in one easy to use and accessible online portal.
Some of the key changes within the new GDPR, although not exhaustive, include:
- Breach notification – employers will be required to report and provide key information to the data protection authority within 72 hours of any data breach.
- Documenting data – new regulations require organisations to document what personal data you hold, where it came from and who you share it with (in the form of an information audit).
- The right to erasure – Individuals have a right to have personal data erased where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
For more details of the key changes (and there are lots!) see the ICO website.
Whether HR departments are to be responsible for all GDPR compliance (employee, supplier, candidate, client data), HR involvement, in some form or other and GDPR will go hand-in-hand moving forward. As we all know, it hammers home the message that it is hugely important to retain employee data in a secure and ideally in a central location, accessed only by authorised persons within your organisation, and only for those with the relevant and granted permissions!
How should HR software help?
Many providers of HR software are working towards providing compliance, to varying degrees, with the GDPR within their systems. For those vendors who can supply them, certain features can be used to your benefit to help you stay compliant with GDPR:
1. Self-Service Portals – employees having access to real-time data being held about them by their employer, where that database is seen as the go-to place for all employee records. Access to these employee records should also be limited to those who have a legitimate business or contractual need.
2. Keeping Data in a Secure and Central Location – multi-sited companies often find it more difficult to manage employee data, trying to keep information secure but without the facilities to do so. Because of this they often end up storing data in unsafe environments like a computer C-drive, paper forms or on portable drives. HR systems should give you both the functionality and the necessary security measures you need to have all data held in one central system, leaving behind the risk of unwanted breaches to employee data security. Any processing of data that exist out with the HR system needs to be highlighted and questioned, eg if investigation, disciplinary, grievance, performance processes and the resultant records are paper-based, where do you store these, who has access to them and for how long?
3. Permission Sets – HR software should also allow you to determine and set granular levels of access to all data, with create, read and write options available and determined for an unlimited amount of different users who require different access permissions. Having the ability to configure multiple Permission Sets ensures that only those authorised persons have access to the personal, sensitive data that they ought to have access to.
4. Data Retention Policies – the GDPR doesn’t provide you with a prescriptive approach to data retention i.e. what to hold onto and what and when to delete. Your HR software should be configurable so that you can determine your own data retention policies which will dictate when data should be deleted. This will help you to stay compliant more easily and within your own agreed parameters and rulesets with the tighter regulations being in place following the GDPR deadline.
5. Company Documents – documents should be downloadable to make sure that all managers and employees are aware of the changes moving forward, ensuring their compliance. We would suggest sending out a document to your entire workforce, sent via your HR system making clear the key changes and all factors to consider concerning GDPR, and for that system to retain an audit trail of who, or who has not read and understood the information being communicated in the document.
6. Mandatory & Refresher Training – within your HR system, you should ensure that new starters, as part of their induction process, are provided with mandatory training pertaining to data compliance & security and that existing staff have access to retraining opportunities to refresh their knowledge or of any any legislative or company policy changes regarding data security across the company.
Whether you already have a HR system in place, or whether you are considering adopting one to ensure compliance, the benefits to your business are astronomical as long as you follow guidelines on how to configure and utilise your software system to best effect when considering the new data protection rules.
We have been liaising with our own advisors and legal firm to determine the functional changes that we are developing as part of our overall service delivery and we will be communicating the functional and capability changes being created within Youmanage over the coming weeks. For more information, or if you have any speciifc questions, please direct your query to [email protected]
If you are looking for more in-depth information on the GDPR, there is a wealth of information available online at websites such as ICO, EUGDPR and ITgovernance.
Did you find this article useful? [Youmanage HR][1] offers software to help you streamline your HR processes and ensure compliance within your company. We also write articles on HR, leadership, employee engagement, health & well-being and much more. Start a free trial of Youmanage, get in touch to ask questions, or check out our blog to help you to deliver HR best practice in your business.