When it comes to processing and protecting employee data, it is the HR department that is responsible
by Rosie Cairnes, Regional Director ANZ at Skillsoft
Earlier this year, the new data breach legislation came into effect in Australia and last week, the General Data Protection Regulation (GDPR) was enforced across the European Union, bringing with it mammoth changes to how companies treat employee and customer data. GDPR is not just for European businesses - if you serve customers or operate in Europe, you may also need to comply with this new legislation.
Although these new privacy laws are about protecting ‘data’, that doesn’t mean their implementation falls solely on the shoulders of the IT department. When it comes to processing and protecting employee data, it is the HR department that is responsible.
HR has a big role to play in compliance
A recent study by the Ponemon Institute and Citrix found 45 per cent of businesses in Australia and New Zealand are not even aware of GDPR and 55 per cent haven’t started preparing for it. Achieving GDPR compliance is a cross-departmental challenge.
Whilst IT leads the cavalry in the implementation of GDPR throughout the whole business, HR still has a significant role to play. For all departments, GDPR is an exercise in communication, as much as it is compliance. HR will need to work closely with IT, to ensure both are ready for the new regulation, and with employees to ensure a smooth transition to the new framework. Those HR professionals not yet preparing for GDPR are putting their organisations at risk of regulatory fines.
HR’s responsibilities
Employee consent
HR will need to ensure all employees are aligned with the new GDPR framework. This will involve a change in how HR handles employee consent. Rather than the previous small paragraph in the employee contract, consent regarding how employee data is used will now have to be explicit and standalone. Employees must be made aware of how their company intends to store, control and manage their data. This will need to be detailed in a separate document and employees will need to sign it – either physically or digitally. Without this, organisations risk severe penalties for unlawful processing of data.
Making this process official has a number of other benefits. Whilst formalising the process proves that a company is meeting GDPR, internally it also acts as an employee retention and engagement tool. The documentation shows employees they can trust their organisation and that their personal data is being handled lawfully and properly.
When drafting the contract, HR needs to work closely with the IT department. Together, they will need to understand where and why employee data is used – as well as who is accessing it. For example, does it travel to another country? Who is using it? By answering these questions, HR can give its employees an honest and complete picture of how their data is being used. Employees are unlikely to sign something they do not understand, and it falls to the HR department – with input from IT – to explain employee rights in a clear, accessible way.
A two-way conversation
Under GDPR, employees will have the right to view and manage their data. This includes data access requests, data rectification rights and the right to be forgotten. Having a formalised process in place that explains how employee data is being used diminishes the likelihood of a ‘floodgate’ of employee requests once GDPR is enacted. However, HR should still be prepared and have the right processes in place for these requests. The challenge will be ensuring both the right systems are in place and the right policies. HR needs to be organised when it comes to the new processes it will need to manage, and the potential for an increase in employee data requests.
Organisations will need well thought-out procedures and systems in place to allow HR teams to smoothly handle employee requests without using up too much time or manpower. This will again involve collaboration with IT – to ensure the right systems are in place – and employee communication to reduce the likelihood of unnecessary data requests once the new regulation is in force.
Compliance training
Achieving data privacy compliance is not a one-time action; it’s an ongoing process that will require refreshers to ensure that all employees are playing their part in achieving compliance. A comprehensive, ongoing training programme will help organisations mitigate the legal, financial and reputational risks associated with non-compliance.
A structured training programme helps employees understand how their data is used, alongside their personal responsibilities under the regulation. For example, if they come into contact with sensitive data, they will need to ensure that they follow the rules on how they handle it. Training can increase individual accountability throughout the organisation, but a one-off training session will not be enough. Companies will need to introduce a comprehensive, ongoing training strategy to address the long-term changes GDPR will bring.
HR’s role has consistently changed in recent years, moving away from the traditional administration role of the past. These new data privacy laws see HR’s role transform even further. To ensure compliance, HR departments need to embrace the cross-departmental conversation: working more closely with IT, opening a dialogue up with colleagues regarding data protection and embracing the appropriate technologies. Through this, and proper planning, HR can help to ensure that its organisation is compliant into the foreseeable future.