New General Data Protection Regulation (GDPR): 5 actions to take in human resources
The new European Union data protection regulation, known by its acronym GDPR, will enter into force on May 25, 2018, and this involves major changes for all companies that store the data of European citizens. This General Data Protection Regulation affects practically all company departments, particularly human resources.
If you are a professional in the sector, here are 5 actions that you should implement in the human resources area to adapt to the new data protection regulation:
1. Audit the data you store and how it is used
First of all, it is important that you know what personal data you have and how it is being used. The new European legislation requires that data be easily located, capable of being modified or deleted at any time, and have a specific purpose. To comply with the GDPR, perform an audit or inventory check and analyze all the data you already have in detail.
2. Request explicit consent from employees
The new data protection law requires that European citizens have freely given “specific, informed, and unambiguous” consent when their personal data is handled. Therefore, it is recommended that you ask your employees for their consent and explain why you are storing their personal data. The GDPR further explains that a time limit must be applied when storing data.
3. Ensure data security
With the new legislation, you are obliged to ensure the security and protection of the data you are storing. That is why the storage of information as well as any transmission or communication, such as sending emails or documents, must be encrypted.
In the event of unauthorized access to employees’ personal data or a security breach, you must inform them within 72 hours.
4. Train your employees in the new data protection regulation
To ensure that the other departments are up to speed with the GDPR, human resources will have the mission of designing a training program for the whole company. This mission is of vital importance, as it is responsible for the company’s general alignment with the new data protection regulation and the avoidance of fines of up to 20 million euros (or 4% of global turnover).
When designing this GDPR training program, bear in mind that you should offer different courses depending on each employee’s profile. Make sure the content you’re offering is of the highest quality while still being understandable to employees. Also, it’s always good to try to repeat the courses from time to time so that all the information can be internalized.
5. Select the company’s data protection officer
Although it depends on the size of your company and the type of data you’re storing, your company will most likely need to appoint a Data Protection Officer (DPO). This individual will be in charge of overseeing how the organization respects the GDPR and will cooperate with the supervising authorities. Sometimes the data protection officer may be a person from the human resources department itself. If that’s the case, make sure they have all the specific training on the new European data protection regulation.