With less than 100 days to go until the General Data Protection Regulation (GDPR) takes effect, employers have been reminded to take stock of their data collection policies and consider how data security is approached by their employees.
GDPR, which will take effect on 25 May, will give people greater control over how their personal data is used and provide them with the “right to be forgotten”.
Dean Forbes, CEO at technology firm CoreHR, said businesses should view the regulation as an opportunity to review their current policies around collecting and storing data, rather than as a burden.
“For HR teams, the major implication is the need to gain explicit consent from employees and candidates for the storage of their information and to allow for the right to be forgotten,” he added.
Forbes recommended that employers looked at the personal data they have stored and justified its purpose. If there isn’t one, they should consider removing it.
He said employers should think about educating their workforce about the risks of poor data security and holding on to data that is no longer relevant. Mandatory training sessions could be necessary.
“The next few months are all about ensuring employee data is fully safeguarded, that you’re fulfilling your legal duty to your employees and the impending legislative requirements,” added Forbes.
Karen Cheeseman, GDPR consultant at the PrivacyTrust, said paper logbooks used to monitor visitors to business premises should also be handled with care. Organisations should ensure the details of those who have previously signed in are not visible to the next person.
She said: “A lot if this depends on what the organisation does with the data. Is it simply a way of knowing who is in the building at a given time or is the organisation storing and using that information to use for another purpose, such as marketing or profiling?
“If it is simply for knowing who is in the building at a given time, then the main points to make are data privacy.”
Research conducted by software firm Senzing found that almost half (44%) of companies were concerned about their ability to be compliant after the GDPR deadline.
Although it is an EU regulation, Brexit is unlikely to have an effect on whether the UK continues to adopt GDPR. The regulation applies to all organisations collecting and storing data relating to anyone who resides in the EU.
If an organisation is found to be in breach of GDPR after the deadline, it could face a fine of 4% of its annual turnover, or €20m (£17.8m), whichever is greater.