With Friday’s GDPR deadline looming, employers have undoubtedly been spending the last few weeks reviewing the data they store about their staff, clients and other parties to ensure they will not be in breach of the regulation when it comes into effect.
While some might see preparing for the regulation as a box-ticking exercise, others would argue that making the commitment to protect employees and customers’ personal details is a good opportunity to win trust.
According to Juerg Birri, global head of legal services at KPMG, the GDPR provides a chance to “build a picture of how [an] organisation manages data, which has recently become a key element for company reputation”.
But as well as fulfilling their obligations to protect customers’ and suppliers’ data, employers also need to make sure their responsibilities under GDPR are communicated to their employees. Employees need to be aware of their rights as data subjects, as well as the role they play in making sure their employer is compliant.
Here are five policies HR needs to revise or implement to ensure their staff are up to speed with the changes:
1. Data retention and disposal policy
Employers need to be able to demonstrate that they store only the data they need and only for an appropriate period. One of the six privacy principles under the GDPR is “storage limitation” – i.e. the business can store and process only the data necessary for the purpose of carrying out a job, and for no longer than needed.
Employers should provide guidelines on the retention periods for certain information HR might hold about their staff. Its policy should include the measures the employer is taking to ensure the security of that data during the period it is retained, and how it will securely dispose of the data when it is no longer needed.
2. Privacy notice
Staff need to be informed about the data their employer stores about them, how it will be processed and details about the organisation’s lawful right to process it. It should also remind employees that their right to privacy will be respected by the organisation.
According to Eduardo Ustaran, co-director of privacy and cybersecurity at law firm Hogan Lovells, businesses should appreciate that data protection is a fundamental right.
“Success in this new era that is about to start will come from the acknowledgement that treating personal information responsibly is in everyone’s interests. Those who commit to this principle will see the GDPR as an opportunity and reap the true benefits of data,” he said.
3. Subject access requests policy
Data subjects – those whose data is held or processed by an organisation – have the right to make a subject access request to find out which information is held about them.
Employers should make their staff aware of some of the changes to the rules around subject access requests, including revised time periods for responding to requests (down from 40 days to one month after receiving the request), the information that needs to be provided in response to a request and the extent of the search.
4. Data breach reporting policy
HR departments need to inform their staff about the steps an organisation would take in the event of a data breach. This should be a comprehensive plan that follows the guidelines set out by the ICO, and include the need to report data breaches within 72 hours and inform the relevant parties.
5. Legitimate interests policy
According to law firm Taylor Vinters, employers might also consider putting a legitimate interests policy in place to remind employees of the situations where it has a valid reason for processing personal data – for example, it would need an employee’s bank details in order to pay them. It recommended that employers list the reasons for which they might legitimately process an employee’s data for the sake of clarity.