The implementation of the long-awaited European Union General Data Protection Regulation (GDPR) is now clearly on the horizon with the deadline date of 25th May looming.
The GDPR regulations significantly increase the obligations and responsibilities for Irish businesses in how they collect, use and protect personal data. At centre stage is the requirement for Irish businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.
It is essential that employers and HR professionals alike plan ahead, as the GDPR regulations will affect many parts of the HR function, from candidate records to employee details, all of which are covered by the new GDPR rules.
So What Can You Do Today to Prepare for the GDPR?
Draw up an inventory of all personal data being held from an HR perspective in the company. Identify staff, service users and contractors with whom employee personal data is being shared.
Examples of what the inventory might include:
- What data is processed?
- The legal basis for processing data.
- How is data being processed?
- Who has access to the data?
- How long is the data being retained?
- Is data being transferred or shared with 3rd parties?
- How secure is the data being held?
Identify where the current gaps/weaknesses lie in current processes:
- Data which has been retained for longer than is reasonably necessary.
- A lack of or insufficient consent to process data.
- More data than is reasonably necessary to be collected.
- Too many people having access to certain information.
- No clean desk policy.
- Data being stored insecurely.
- Data retained is not accurate or up to date.
3. Implementation Plan:
Put in place an implementation plan to correct weaknesses and set about redressing them to ensure compliance with the GDPR:
- Develop new processes to ensure data is only retained for as long as is necessary.
- Issue consent sheets to data subjects.
- Delete any data that is deemed to be excessive/unnecessary.
- Put in place Data Access Request Procedures.
- Put in place an Incident Response Plan to ensure a data breach can be dealt with within the outlined timeframes.
- Ensure proper security measures are in place to protect data.
- Inform employees of their rights under GDPR.
- Provide training to the management team on GDPR.
Draft GDPR related policies, procedures and relevant document templates:
- GDPR Policy & Procedures.
- Guidelines on data minimum retention periods.
- Privacy Notices.
- Subject Access Request Procedures and Form.
- Processor Agreement.
- Data Breach Incident Form.
- Processing Activities Register.
At Insight HR, our experienced consultants can help you become GDPR compliant. We can review your existing data protection processes and procedures, identify gaps, put in place an action plan for compliance and train your management team. We can also provide you with an experienced onsite HR resource to assist you in this process. To find out more about GDPR compliance, contact Mary Conway, Liam Barton, Patrick Foley or Mary Cullen at 056 7701060 or email firstname.lastname@example.org