By Holly Ivins, Law Content Analyst at the CIPD
The new General Data Protection Regulations come into force on 25 May 2018. The new rules are intended to meet the needs of a digital age, and require a change in organisational attitude towards data privacy. HR has a crucial role to play in achieving the new goal of data protection by design and default.
With only 13 working days to go the law content team have some top tips for how you can make sure you’re ready.
Data audit: if you've not already done one do it now!
- Determine who will undertake the audit; most likely a collection of representatives from different departments (eg HR, IT, legal). Make sure you also identify who you will need to speak to during the audit ie colleagues involved in payroll or recruitment.
- Compile a list of your areas of interest: you can start by using your current privacy notice.
- For each set of data establish whether it is held in live or archive storage, where it is held and whether it is held by a third party.
- Review all policies, forms and contracts to identify any amends that will need to be made.
- Establish the lawful basis on which you process different categories of data.
- Create an HR data record from your audit.
Update forms and contracts
- Review your current policies relating to data protection and assess how these might need to be amended to comply with new GDPR rules.
- Update any forms and contracts as outlined by your data audit.
- Re-confirm GDPR compliant consent (ie lawful basis) to process data for existing employees and leavers and ensure new systems are in place for recruitment and new starters.
- Compile data privacy statements for all employees.
Communicate new rights with employees
- Ensure line managers and any colleagues involved with recruitment and other data processing are trained in new GDPR compliant processes.
- Communicate with employees what the changes mean for them and their data and share data privacy statements.
- Ensure employees are aware of their obligations to you under GDPR (including notifying of a breach) and provide training where necessary.
- Determine whether you need to appoint a data protection officer and if so investigate appropriate person to fill this role.
Prepare for subject access requests
- Set up systems to be able to response to subject access requests “without delay”.
- Consider creating a subject access request policy.
- Ensure HR representative is trained in dealing with a subject access request.
For more information and to ensure your ongoing compliance check out our GDPR resources:
- GDPR in the workplace Factsheet: https://www.cipd.co.uk/knowledge/fundamentals/emp-law/data-protection/gdpr-factsheet
- GDPR: What are the priorities for HR? Member-only Webcast: https://www.cipd.co.uk/knowledge/fundamentals/emp-law/data-protection/gdpr-hr-webcast
- Hot topics webinar: 1 hour webinar as part of our Law Hot Topic Webinar series: http://shop.cipd.co.uk/shop/cipd-training/hot-topic-gdpr-and-hr-2
- GDPR for the HR Professional: 7 online modules created in association with MeLearning: https://www.melearning.co.uk/courses/browse-our-courses/information-governance/general-data-protection-regulation-gdpr-for-the-hr-professional/
- Enter code CIPD10 at the checkout to receive 10% off the price of the course.
- HR-inform has a suite of GDPR template documents and policies; CIPD members receive 50% discount. https://www.hr-inform.co.uk/