GDPR implementation is quickly approaching, and with this in mine, it is critical for HR and talent management professionals to consider how their current strategies align with the legislation, as well as the elements which will need to be addressed and changed to ensure compliance.
What is GDPR?
The introduction of GDPR comes into effect to essentially provide EU citizens with a higher level of protection when it comes to businesses keeping their personal data. This not only includes customers and subscribers but also has significant internal implications including the collection of employee and applicant data, the manner in which this is stored and more importantly obtaining consent from those whose data your store.
Are there associated important dates?
Although the new regulations come into effect on May 25th, 2018, employers and talent management should consider the changes well ahead of the implementation date. It is critical for businesses to prepare their strategies before the new regulation, to ensure compliant processes are in place and the systems are running smoothly. Planning also offers businesses the opportunity to ensure that their employees are compliant with these processes, to keep data protected and ensure that they are not at risk of being hit with a hefty fine.
Definition of personal data and what this includes
Personal data is interpreted differently by different people and different companies, however, when it comes to EU Data PRotection regulation, information encompassed in this definition which is related to a customer or employee, includes name, age, photographs, bank and payment details, email and post address and medical records. Businesses must make a conscious and reasonable effort to ensure that their stakeholder’s data is secure and safe.
Definition of consent and how to obtain this from an employee
Due to the revision of EU law regarding data, talent management must now consider the data that they hold and understand how this can be used in line with the GDPR consent guidelines. Within Article 4 of the GDPR legislation, consent is defined as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Responsibilities of HR and talent management
As an internal member of HR or the talent management team, it is essential that you ensure that you are compliant with the GDPR regulations when collecting data on candidates, applicants, new employees, managing existing employees and past employees.
Talent management specialists and those who work within the spectrum of handling employee data must never presume that employee consent is ‘freely given’ and must instead understand that “in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
Within HR and talent management practises, a business may process essential data under an employment contract or if this data is necessary to the companies legitimate interests. Consent can no longer be hidden in the terms and conditions and must be visible when providing personal data.
The new legislation also requires employees to be notified of data breaches “without undue delay” where the breach could potentially cause harm to the employee. Any data breach must also be reported to the DPA within 72 hours of the occurrence. This, however, is nullified if the data is encrypted or does not require personal identifiers for individuals.
How can you ensure compliance?
When considering how your business will amend their talent management efforts to align with GDPR legislation, the core changes should include;
- Educating employees on the changes
- Ensuring that those handling data attend a course or receive adequate training to cope with GDPR
- HR review current employee contracts and documents held to meet requirements
- Restructuring how data is collected, stored, obtained and recorded