Have you heard of the GDPR? Are you and your company prepared? Do you know how it affects the HR department?
The answer is most likely no, as according to a Dell survey, 80 percent of respondents know few details or nothing about the GDPR, and less than a third feel they are prepared today.
In case you're wondering, the GDPR is the General Data Protection Regulation - the EU's new legislation on data privacy. It will come into effect in May 2018, and replaces the Data Protection Directive 95/46/EC, which was introduced in 1995, as well as the UK Data Protection Act 1998.
And its significance? "GDPR will represent the biggest change to UK data protection laws in twenty years," says Mark Shaw, senior product manager at software vendor Cascade HR.
Chris Berry, CEO of HR software CIPHR, adds: "The arrival of more stringent regulations may be a wakeup call for many HR professionals to review how they currently store and organise their employee data. If you currently use spreadsheets and documents to store employee data, you may find it difficult to comply or demonstrate compliance with the GDPR, so you'll need to think about how you may need to do things differently."
The GDPR will introduce commonly applied privacy regulations across all of the 28 member states, and update legislation for the digital age.
"GDPR will apply directly as an EU regulation," says Scott Blackmer, partner at InfoLawGroup, a virtual law firm focused on online and mobile privacy. "It will not be dependent on implementing national legislation, as the current framework EU Data Protection Directive has been, so it should be more consistent from one country to another. This should simplify compliance for companies managing employees in multiple countries."
One of the most important changes is increased jurisdiction, with the legislation being applicable to businesses outside of the EU that offer services within the area.
Blackmer explains: "Although companies will still have to comply with the data protection laws wherever they collect, use, and otherwise process personal data, GDPR will allow a company or corporate group to interface chiefly with a "lead" supervisory authority in the jurisdiction where the firm has its headquarters or principal offices in Europe. Again, this should simplify compliance efforts for multinationals."
Other changes surround areas such as fines, the right to be forgotten, data breach notifications, conditions for consent, and data protection officers.
The other uncertainty surrounds Brexit. If your business is based in the UK but operates in the EU, then you will still have to adhere to the regulation. However, if all your business's operations are in the UK, the situation is unclear.
The GDPR will have a massive effect on HR departments. A whitepaper from CIPHR explains: "The reason GDPR is such a widespread topic of discussion at the moment is that it will fundamentally change how organisations can handle personal data, including their employee's personal data. The main changes are around access, rectification, deletion and transfer rights, as well as new requirements around reporting a data breach.
"For those working in HR, this means a rethink about how personal data is collected, used and retained. Data protection issues have an impact on most HR activities from handling recruitment and employer references, to how employee performance is monitored and how employee records are handled before, during and after employment."
As well as data protection, the GDPR also covers data collection, with companies being prohibited from collecting certain information, including health, biometric, and genetic information.
Blackmer explains: "Sensitive data categories (which generally require express consent, heightened security, stricter attention to purpose limitation, and shorter data retention) have been expanded under GDPR to genetic and biometric data, adding to the existing categories of race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life. HR managers will have to include these two new categories for special treatment."
Blackmer also explains that the GDPR also expressly refers to online identifiers and geolocation data.
He says the HR impact from this will be on: "Employee log-on credentials, onsite or remote, treated as personal data, so compromise could trigger breach notice, for example. It also affects RFID tags in security badges, and apps tracking employees by phone, treated as personal data use that requires notice and consent, may require approval of data protection and labor authorities, trade union, works council."
While you may think that there's no urgency because the legislation doesn't come into effect until May 2018, you'd be wrong. According to research firm Gartner, by the end of 2018, more than half of companies affected by the GDPR will not be in full compliance with its requirements.
According to Blackmer, the GDPR uses the same terminology and principles as the Data Protection Directive 95/46/EC, so the concepts are largely familiar to local management and global HR managers.
He says: "However, it is intended to "raise the bar" for privacy protection, and it generally requires more planning and documentation for both the privacy and security of personal data. HR managers should take this as an opportunity to tighten procedures, refresh training and awareness programs, and establish their role in privacy and security governance."
Shaw adds: "To prepare and comply with the overhaul, HR departments therefore need to apply GDPR to their risk register and raise it with their board. Failure to demonstrate compliance or the ability to comply could lead to fines of up to €20m or 4 percent of organizations' global annual turnover - whichever figure is larger. However, failing to comply is not simply a financial matter, it could have a significant detrimental reputational impact too."
The process he suggests is as follows:
"GDPR is all about accountability and being able to demonstrate it. HR departments should therefore:
Health check their relationships, contracts and privacy notices in relation to service providers and data processor to ensure GDPR compliance
Evaluate Data Protection Impact Assessments, i.e. consider whether they are required to conduct Data Protection Impact Assessments for their data processors. These should then be carried out on all service providers where personal data or special category data is involved
Review their processes and mechanisms for dealing with subject access requests and assess whether software will enable them to comply with such requests from employees."
HR software - especially cloud solutions - can be hugely helpful in ensuring that your company complies with GDPR.
"GDPR-ready HR software will assist businesses in complying with subject access requests from their employees in a timely manner," says Shaw.
Many software vendors are already working on ensuring they provide this functionality. Here we profile a range of HR solution providers that can help ensure GDPR compliance.
"Cascade has a range of cloud-based, self-service HR software solutions which proactively help clients comply with GDPR legislation," says Shaw. "To give just one example, clients can quickly and easily action any subject access requests they might receive from your employees so that they can comply comfortably within the new timescales."
Shaw adds that the company has been: "Conducting risk assessments to identify where any additional security measures may need to be implemented within the Cascade software range, and whether any other key GDPR compliance requirements are necessary prior to the regulation's introduction."
Hope Mears Østgaard, VP Marketing at CatalystOne Solutions, explains how the HR system can help make companies' life a lot easier in the compliance process:
" You can reduce the number of systems (incl Excel, separate systems for different HR processes, payroll, AD, masterdata, 360 etc), turning a very fragmented and unmanageable system landscape into a central hub for all you personnel data, including HR master data and all your HR processes on the same platform. This makes it so much easier to secure and document access control, audit trail, deleting etc
The central platform can easily integrate with your payroll and AD (or other enterprise systems).
CatalystOne has role based access which, means that you can easily control who has access to what information, which is key to GDPR compliance.
Privacy by Design - by default, only the persons who need access to data will have it
CatalystOne will give you an audit trail on all changes made to personnel records. Who did it and why.
Export functionality which supports the data subject's right to bring their data file with them in a manageable, digital format.
"Forget me" functionality making it possible to easily delete a whole profile on request - which is a right the data subject has according to the GDPR.
All CatalystOne customer data is stored within Europe and CatalystOne operations personnel are all based in Norway."
"Using CIPHR's SaaS HR system, employees can access and update their own personal information via a secure self-service portal" says Chris Berry, CEO of CIPHR. "CIPHR also offers tools that will help you to document when consent from employees was granted for processing personal data. CIPHR also has strict policies, procedures and security systems in place which are designed to ensure that our clients' data remains secure."
He adds: "The ICO (Information Commissioner's Office) provides a best practice recommendation that organisations should try to give remote access to a secure self-service system to give the individual direct access to their own information. Self-service functionality provides transparency and enables individuals to ensure data accuracy."
Cloud security company CipherCloud added advanced data-protection capabilities for SAP SuccessFactors' HR solutions in late 2016 to help ensure compliance with the GDPR. According to the company, this will enable it to define: "specific personally identifiable information (PII) to be protected".
Workday has already updated the data processing terms it provides customers, as well as ensured it has functionality in place to deal with the new rules. This includes:
A formal internal incident response plan that aligns with the new notification rules for any security breaches that lead to the loss
The Purge Person Data feature that supports customers Right to be Forgotten
Workday's Privacy Shield Certification , which provides a GDPR-compliant data transfer mechanisms for personal data transfers outside the EU.
Danish skylight manufacturer Velux decided to implement HR software Workday in part to ensure it would be compliant with the GDPR. Its data was previously spread across Excel spreadsheets and Access databases, with different locations using different systems and tools.
We have resources to help you select the best HR solution to manage GDPR compliance: