While the GDPR have come into force, a majority of the corporate leaders are grappling with the challenges of business readiness on internal data security programs, website cookies, and data collection process. Many organizations are presuming that because their firm does not have an office in Europe, GDPR would not apply to them. However, under GDPR if an entity, while offering its goods or services, collects and processes personal data of such persons, then the entity in question is required to comply with the rules and processes set out in GDPR. In short, almost every corporation will need to be ready and must start working on their GDPR compliance strategy.
Here are specific steps which HR leaders need to take into consideration while developing an effective GDPR compliance strategy.
Train employees
It has become imperative for all functions to now understand what, how and with whom data is being collected and shared. Hence, HR leaders need to devise a training plan for employees on data processes, compliance and data management. Make the HR team ready to answer questions from users on how the data storage process looks like. HR needs to help facilitate awareness workshops on topics related to data breaches and consequences in context to GDPR. The L&D teams can roll out data-handling courses for all employees. And ensure that each team member understands the potential consequences of not following the regulations and compliance terms.
Use strong authentic encryption for HR data
All kind of sensitive data collected by the HR department will need to have security measures to be compliant with the GDPR rules. And one of the most effective ways to keep it protected is to encrypt the data. Also, it is important to encrypt emails to ensure protection from any potential cyber-attack. HR also needs to use a strong authentication and access control mechanism by limiting the access to personal data. To add another security layer, conduct audit and review of all of your current HR data storage processes on a regular basis.
Have a holistic approach - GDPR is about more than just data
Marketing is the first department to collect personal data from customers. They are also often responsible for communicating with stakeholders after a data breach. The HR department uses personal data of employees. However, most companies mistakenly assume that GDPR is a concern for only IT department. Hence, a holistic approach involving in all departments through a cross-functional team is a better way to ensure GDPR compliance. In fact, Akshay Aggarwal, Director, Solution Specialist, from Oracle India states that "Organizations should realize that GDPR is more than just data; it's necessitating a new playbook for businesses to engage with people.”
Other GDPR considerations
GDPR stresses on the responsible collection of data. HR and data management team together must start creating a checklist on how to begin the compliance process. Here are 5 tips to start with the preparation:
- Review current mailing lists
Check contacts in EU countries for records of consent. Remove individuals without a proactive consent notice.
- Document data collection channels and steps
Document all the sources through which the company receives contact details (e.g websites, events registrations, sales partners, etc.). Do ensure there is a consent process for each of them. - Ensure clarity in consent wording
Use of clear language that allows the person to provide unambiguous consent is a must. In case the organization may collect personal information through a web form, one needs to clearly state how the information will be utilized. Include the cookie consent notice on all web forms.
- Create an age-verification process
Parental consent to collect or process the personal data of children under the age of 16 is a requirement under GDPR. Hence, a dependent verification process such as automated email notification or a form should be collected from the parent as a separate consent.
- Update privacy policy regularly and notify them
It is suggested to send proactive notifications about changes to the privacy policy to all parties whose personal data is stored within the organization. Clearly word the privacy policy page and make it comprehensive. Include what information is being collected, how data is stored and how to contact the organization.
Wrap Up
To summarize, HR needs to reduce risk by taking appropriate measures such as:
- Put staff on training and then ensure that disciplinary policies are updated to make accountabilities clear for all employees.
- Similar to a fire drill, develop periodic testing of security measures of personal data used in HR.
- Keep reviewing confidentiality and IP provisions within employment contracts and consultancy agreements from time to time.
- Modernize HR systems by having a single security model and built-in audit system.
Ensure that data breaches must be mitigated and reported within 72 hours through well laid out rehearsed data breach procedures in conjunction with IT teams.