Got Data? Panic and Run - What does the GDPR mean for HR? Posted by Mike on 15 October 2017

Got Data? Panic and Run - What does the GDPR mean for HR?

The History of Data Protection Legislation

The history of data protection legislation is inextricably linked with the ever-expanding world of technological innovation and - reflecting the fact that companies can now process increasing amounts of data in more creative ways – the latest legislation coming into force in May next year, the General Data Protection Regulation (GDPR), is set to be the toughest data privacy law in European business history.

Personal data is absolutely everywhere and it’s easy to forget just how far we have come in technological developments over the past few years, which has led to this proliferation of data. For example, in 1956, a 5MB hard drive had to be fork-lifted onto a plane for transportation, now 5GB USB sticks are readily available and fit conveniently into your pocket, and you can even store data in the cloud.

Use of Data in Human Resources

From a HR point of view, we should approach the GDPR from a life cycle perspective. This means following the data through the business from recruitment through to mover/leaver policy and everything in between. What exactly is our hiring process, what recruitment companies do we use, how do we handle sick notes, appraisals and pensions – these all need considering.

There is a variety of both manual and electronic data in every HR department and consideration should be given to how it is processed. Experienced Data Protection Officers are thin on the ground, with the latest estimates indicating that there could be a deficit of up to 70,000 DPOs across Europe; this represents as much of an opportunity as it does a challenge.

Data is the new oil

Data is a hugely valuable asset for any data-driven business, enabling the day-to-day functioning of a company, but also for use in improving customer or employee experience and driving business growth. However, if not managed correctly, this data could also become a huge liability when the General Data Protection Regulation (GDPR) comes into force in May. It should be remembered that, unlike previous deployments of data protection legislation, there will be no ‘grace period’; from 25th May 2018, if your business is not compliant your company is at risk from reputational damage and potentially huge fines of up to €20m or 4% of annual turnover.

Accountability

If you are a data controller (the natural or legal person, agency or any other body which determines the purposes and means of the processing of personal data), you are ultimately accountable for the way that your company manages and processes data. Whilst accountability has been a requirement of data protection law for some time, the GDPR elevates its significance and, for the first time, data processors (parties who process personal data on behalf of a data controller) will also find themselves accountable. Both data controllers and data processors must be able to actively demonstrate compliance with the GDPR in terms of the organisational, procedural and systems solutions which are in place to protect personal data.

With so many additional policies and procedures required, and the risks being so high, if you’re responsible for managing and processing personal data, tackling GDPR compliance might seem like a daunting task. Whilst there is no need to panic, now is certainly not the time to bury your head in the sand and assume it doesn’t impact you.

Where should you begin?

Seize the opportunities

These measures might seem like a lot of work, but they will minimise the risk of data breaches, help to protect the personal data of staff, ensure your organisation’s compliance and allow you to demonstrate this should the regulator come knocking. And, whilst it’s true that the GDPR presents organisations with challenges, it can also bring great opportunities for companies which use it to build and strengthen trusting relationships with current and future employees and customers.

If you’d like to find out how our lifecycle approach can help you to identify and manage risks across your organisation and provide a simple way of managing and mitigating these risks on an ongoing basis, contact our Dublin team on +353 (0)1 683 3314 or email info@sytorus.com or contact the London team on 0207 936 9442 or email info@sytorus.co.uk.