GDPR and The HR Professional
This Month: The HR Manager…
Welcome to the second article in our series of professionally-themed insights for 2019.
Each written with a specific profession or role in mind, they’re packed full of helpful ponderables, tips and advice to make the GDPR work for you in your everyday 9-5.
This month, we’re covering the need-to-knows, good-to-knows and no-nos (!) for all you HR Managers out there.
We hope it makes your GDPR life that little bit easier.
Dear HR Manager…
Ah, February. The month for romantics everywhere!
So, what better time to show how much you care, especially when your main responsibility is looking out for others.
And, if you’re like many of the HR peeps that we know, your love of people means that you’re also likely to be concerned about the welfare of their data; and even more so since the GDPR came into force.
Now, because we love helping people and all things data protection-related too, we’re ideally placed to help you make the most of the GDPR in your HR role.
So, whether you need some basic reassurance, a gentle prod on how to be more compliant or explicit direction on what not to do, here’s a Valentine’s gift from us to you, sent with love…
Love People – Love Their Data: GDPR Tips for The HR Manager
Okay, first things first.
How much do you really care about people?
Because where HR and GDPR are concerned, there’s a lot to care about.
It’s not just all your current staff you need to think of, but also unsuccessful job applicants and former employees whose details you have on file.
And, if your business deals with customers, then you have all of those to think about too.
Here are some things to consider:
1. Recognising the importance of data protection is everyone’s responsibility.
One of the biggest misconceptions companies have with the GDPR is that HR and IT are the only ones who need to think about it. Of course, in reality, this isn’t right. Whilst it’s true that HR departments should engage others in dialogue on the need for good data protection and what measures are needed, the fact is that everyone should play a part in driving this.
How often do you bring up data protection in team meetings or raise its profile with colleagues?
2. To ensure good data protection practice and accountability, regular staff training is key
For everyone to play their part, staff should receive an adequate level of training on how to handle personal data (ideally as part of their induction and specific to their job role) and be aware of the correct policies and procedures.
This shouldn’t be a one-off though. Remember that refresher training should be provided on a regular basis and records kept each time.
How often do you provide data protection training to mitigate legal, financial and reputational risks, or run drills to check understanding?
3. Having clear recruitment and employment policies are essential
It’s important to be transparent with your employees (and prospective employees) about what data is (or will be) collected on them, for what purpose, and how it’ll be used – and can be done through a simple data privacy statement that they sign; not only does it provide their consent, it also allows them to explicitly opt in. (Of course, you can only then use the data for those purposes; if you want to use the data for different means, you’ll need to gain new permission.)
It’s also worth considering whether the data being collected is proportionate and necessary. Similarly, for job applicants, background checks too need to be proportionate and carried out only once an offer’s been made.
Regardless, upon that person’s request, you must provide a free copy of the data you hold on them, so should have a system in place that lets you do this easily.
When was the last time you reviewed your employee privacy notices to ensure they meet the new GDPR requirements?
4. Only keep personal data for as long as is necessary
You’re bound to accrue lots of data in your HR role, let alone the additional data being processed by other parts of the organisation. So, having (and regularly reviewing) a data retention policy to monitor what you have, how long you’ve had it and why you’ve still got it is good practice.
For instance, it’ll help staff acknowledge the importance of compliance and, on a practical level, ensure that you only keep CVs on file for 6 months after an unsuccessful application, and employment information for 7 years once an employee has left.
How long do you keep people’s data for and do you have procedures in place for permanently deleting it?
5. Data breaches are bad news but can prove helpful
For most companies, ensuring that data is held securely and used in a responsible manner usually applies to customer data; yet, from a HR perspective, employee-related data is no less personal or important.
That’s why it’s worth considering data encryption as an extra security measure and looking at how safe your data is with any third-party processors that you use (e.g. for payroll or cloud-hosted systems).
It may not be possible to completely eradicate the risk of a data breach, but you can be as prepared as possible in the event of one. A useful practice is to look at data breaches that have befallen other companies and assess how well you’d cope under similar circumstances. Or not…
How prepared are you for a potential data breach and would you know what to do?
- Recognising the importance of data protection applies to everyone – it’s not just down to HR to beat the drum!
- Regular data protection training is essential to keep staff up to speed.
- To process a job applicant’s data, you first need their clear (active and affirmative) consent and keep a log of when it was given (or rescinded).
- GDPR training doesn’t have to be complicated – focus on and follow simple good practice (e.g. never sharing passwords, clicking dodgy links or sharing confidential information with anyone unauthorised).
- It’s okay to make mistakes as long as you learn from them.
- The ICO (Information Commissioner’s Office) has a wealth of online guidance and advice (as do we!).
And whatever you do, please…
- Don’t dismiss GDPR or not find time to take it seriously.
- Don’t put off asking for help if you need it.
- Don’t send Valentine’s cards to your employees, no matter how much you care for them. (We’re all for sharing the love but it’s probably best to find a different way of demonstrating this.)
Help and support is only a quick email away
Wherever you are with the GDPR, we never judge and always offer unconditional love!
So, if you’re looking for some external practical advice and training, get in touch. And rest assured that your details couldn’t be in safer hands…
(Ps. Not just yet though as we’ve a load of Valentine’s cards to deal with. We’re just hoping that it doesn’t take us as long to open them as it took us to, ahem, write them.)