General data protection regulation (GDPR) – Implementation for HR teams

Ronald Moerbeek
May 24, 2018 7:30:00 AM

The GDPR, for some a continuous headache, driving HR managers simultaneously into overtime and madness, and for others, well are there actually people outside the former category? Those who recently started with their preparation for the GDPR might have a pessimistic outlook on the coming weeks, filled with privacy statements, data leak procedures, forms and GDPR-meetings. So what do you need to know on that dreaded date of the 25th of May? To help you with setting up for the GDPR, here are 6 example Q and A’s about the GDPR. The following information is not a legal advice and should only be used for informational and educational purposes.

1. What kind of data does your organisation have?

A simple question, but the answer might be more complex than you think! Personal data is any data related to a person in or outside of your organisation. This is not only limited to what is inside your personnel dossier. Take a critical look at your processes: what do you do when an employee starts working in your organisation? How does your off-boarding process go? Do your employees give personal data in those processes or anywhere in between?

Mapping the data you have in your company is the first step for an organised and GDPR compliant organisation. Additionally, this step will aid you in building a well-prepared and reliable process should data be leaked.

Some points of attention:

  • “Having personal data of your personnel” is not the same thing as “what did I store in the personnel dossier”. Be attentive to CV’s that are in drawers, documents with names, and personal e-mail addresses on them or first version contracts with data in them.
  • Don’t forget that the data of applicants such as: names, private phone numbers, and e-mail addresses are also subject to the GDPR and are easily shared amongst the company in the application process without much thought. Keep track of this data and delete it when it is due.
  • In general, visitors also extend their personal data to the company they are visiting. Do they need to be on a certain list for parking? Do they need to get an access pass? All those actions require sharing of personal data. Don’t forget your customers and other guests!
  • What kind of personnel data do you store from your customers and suppliers? Most likely, you store their names, email addresses, and phone numbers somewhere, but what else? Documents frequently contain personal data, so be critical of what you receive and store, and be aware of your responsibility!

2. What data do you share with other organizations?

It is important to map what data you share with other organisations. It is a common misconception to believe that no personal data is being shared with other organisations. In general, companies provide some information to the bank to pay their employees. Maybe your employees need to be insured against theft, use electronic devices (tablets, mobile phones, laptops, etc.), lease cars, use public transportation subscriptions, or attend education institutes. All of these situations and organisations require the sharing of personnel data.

Data sharing in itself is not forbidden, but needs to be known by the people of whom you share it. Do you share only the necessary data? For every piece of information you share, ask yourself: is it absolutely necessary that they receive this information?

Some points of attention:

  • A lot of information is shared with governmental organisations like the tax authority and unemployment offices. They are also bound by the GDPR and the information sharing you do with them also needs to be recorded. So don’t forget to take a look at what you share with them.
  • Normally, a supplier receives some personal data from a specific employee inside an organisation. The name of your officer manager when ordering office supplies counts as personal data.
  • During your research into the GDPR, you might think to yourself: “Wow, we share a lot of data. Can we even do that?” Just because you share it, doesn’t mean you are by default doing something wrong. The two reasons that allow the sharing of data most often for companies are ‘requirement by law’ or ‘permission’. If you have no legal requirement to collect a type of information, you probably collect it on the base of permission. If that is the case, don’t forget to actually ask permission.

3. Who knows about the GDPR?

Laying all the responsibility for privacy on one person is a ticking timebomb. Simply because a single person is not able to see everything that is happening, notice all privacy threats, and comply with all challenges in the GDPR. Your greatest resource are the people around you who can make your organisation compliant, but are they aware of the GDPR? What does this privacy regulation means for your organisation in a practical sense?

Share your knowledge of GDPR regulations with everybody in the organisation because everyone comes into contact with personal data: not only the administration, the director or your recruiter, but also the interns, the IT-support, and many more. Making all employees aware of the GDPR reduces the chance of leaving personal information in public spaces and provides a platform that generates input and signals high risk situations.

Some points of attention:

  • Speaking to your colleagues about the GDPR is not the only way to inform them, but it also reminds them of the password policy that you have, notifies them about updated privacy policies, and asks them for their input on any privacy risks they might recognize.

4. What do you do, when a data leak happens?

Hope for the best, prepare for the worst. Of course the aim should be never to leak any data, but there is always the chance of it happening. It is best to assume that a data leak needs to be reported. You should have prepared your procedure in case of a data leak in advance by knowing how you need to inform your clients, employees, and or suppliers in case of a data leak, who the contact person inside your organisation is, and who is the one reporting it to the proper authorities, as well as who the appropriate authorities are.

Some points of attention:

  • Lost USB-sticks, stolen laptops, forgetting a piece of paper with personal data on the public transportation or accidentally throwing away documents that still had information in it qualifies as a data leak. The only exception to having to report a data leak is when it deals with encrypted data. Encrypted data is not personal data and as far as the GDPR is concerned, losing encrypted data is not qualified as a data leak, as long as you didn’t lose the key with it, because if you do, you are talking about a data leak.

5. What did you put on paper?

There are procedures, agreements, statements and more, but did you document them? There will be situations of internal personnel not fully remembering protocols or not having sufficient training such as a new employee finding a leak and not understanding how to report it. Therefore it is important to invest in comprehensive documentation and make sure that it is available to everybody that needs it. Make your privacy statement visible and carry out your GDPR compliance.

Some points of attention:

  • It is important to always check what the mandatory documentation requirements are for your organisation. Organisations consisting of 250 or more people require some more documentation, like an operation database.

6. What difference can a right Content Management system make in the GDPR?

Good that you have the answers to all the previous questions. But being compliant with the GDPR doesn’t end there. You need powerful tools to ensure your data and processes are up to date. Here, your Content Management system can make the difference.

Doculayer.ai Intelligent Content Management solution combines privacy by design with a great user experience and everything you need to find, retain and manage your content altogether. You can store all your documents in one single secure location and retrieve them whenever you need with just one click. With the role-based access control and anonymization tool, you can ensure that only authorized users can view your sensitive information. On top, all the actions applied to your data are recorded in the system so in case of an audit you can easily prove that you are compliant.  

The 25th of May is not the end, it is only the beginning of following a whole new set of laws. Want to learn more on how Doculayer.ai can help you to relive your GDPR burden? Then get in touch with us.

Final words

As with many laws, in the coming years you will see new developments, amendments, judge rulings, and maybe complete adaptions of the GDPR. It is imperative to regularly check if you are still compliant, that your documentation is up to date, and if your colleagues are still attentive when it comes to privacy.

Happy GDPR-ing!

Subscribe by Email

No Comments Yet

Let us know what you think