GDPR to cost HR €20 Million, are you ready…I doubt it….
As of the 25th May 2018 a new Data Protection Act (DPA) will be enforced across the UK, it will be known as the GDPR (General Data Protection Regulation)
What does that mean for HR and your business?
Most organisations will be establishing transformation programmes to identify the data on both customers, candidates and employees.
If your business is going through any kind of change (organisational or system) now is the time to act too.
Non compliance fines can reach as high as 4% of annual turnover or €20 Million.
Our biggest concern is that businesses are focusing solely on customer data and processes and not on internal HR processes (recruitment, on boarding, absence management etc)
Let’s summarise it for you
Increased Territory – it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location
Fines and Penalties – If you are in breach you can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Consent – Organisations will no longer be able to use the complicated and impossible legalese, packed full of small print. Consent must now be clear and distinguishable and provided in an easily accessible form, importantly using clear and plain language.
Right to Access – Candidates and employees will be able to ascertain whether or not personal data concerning them is being processed, where and for what purpose. Furthermore, HR and the business will need to provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and giving more power to candidates and employees (current or ex)
Data Removal – Candidates can request that HR erase his/her personal data and stop circulating the data within the business; it also stops 3rd parties processing the data (i.e. reference and background checking partners)
Data in a readable format – Candidates and ex-employees have the right to receive the personal data concerning them, in a ‘commonly used and machine readable format‘ (i.e. not in an impossible to decipher file that you need accounting software to read). Essentially this means that candidates and ex-employees are not going to give up chasing because now it wont be the uphill battle that it once was.
Privacy by Design – Suggests that data protection and knowledge of the GDPR needs to be built into all processes at stage 1 and not added at a later date. If you are going through some sort of transformation or change, you need to consider this now, or it is going to cost you a lot at a later date…. maybe €20 Million!
Data Protection Officers – Currently you need to notify your data processing activities as per DPAs. Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities. There will need to be internal record keeping requirements and Data Protection Officers appointed for some organisations, especially when data relates to criminal convictions and offences.
Are you ready for this? I doubt it…..
Improve and Consult can help design and conduct a Data Protection Impact Assessments (DPIA) to ensure that your organisation is ready for the changes in May, it will come around very quickly.
8 GDPR Take aways and hints:
Awareness – Make sure that decision makers and key people in your organisation are aware of the changes
Document – Audit what personal data you have, where it came from and who you share it with
Privacy notifications – Review your privacy notices especially for candidates applying for jobs
Rights – Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data to candidates and customers
Requesting data – You should update your processes and plan how you will handle volume within the new timescales
Adequate consent – Review how you seek, record and manage consent and whether you need to make any changes.
Age – Do you have processes in place to ensure that you verify candidates and customer’s ages? are you obtaining parental or guardian consent for any data processing activity.
Data breaches – Ensure you have the right processes to detect, report and investigate a personal data breach.
Get in touch for a discussion: email@example.com, Our Website