Identify the lawful basis on which you are capturing personal data
As an employer, you must have a valid basis to gather and process personal data. In most cases, this will be for lawful, contractual or legitimate purposes. For example, you may need to gather candidate contact information for communication purposes, or you may need social security numbers for tax and payment purposes.
However, in some instances, you may need to obtain consent from the individual to use the data for a specific purpose that falls outside the usual employer-employee relationship. Make sure you have clearly identified the lawful basis for all personal data you are capturing to manage data and consents accordingly.
Capture and manage consent for personal data
Under the new GDPR rules, where you process data on the basis of consent, that consent must be a freely given, specific, informed and an unambiguous indication of the individual’s wishes demonstrated by a statement or by a clear affirmative action. So, silence, pre-ticked boxes and inactivity do not amount to consent.
Furthermore, you also need to keep a record of this consent. Consider how you will track and update consent against each data point so that if consent or circumstances change, you are able to make the necessary adjustments quickly. Remember that you may need to revisit your existing consents to make sure they are still valid under the GDPR.
Keep employees informed about their personal data rights
The GDPR gives employees significantly more control over their personal data – rightly so. Do you have plans in place to notify employees about the changes and their new rights?
Make sure you update your privacy notice statements for all employees and candidates explaining: what data you hold on them, what you’ll do with that data, where it is stored, how long you’ll hold it and what their rights are in respect of that data. Privacy information and notices must be shared well in advance and be easily accessible.
Use self-service to manage data access requests quickly and efficiently
Employees have always been entitled to request information about the data you hold on them, but the GDPR now makes this much more accessible for employees. You’ll need an efficient way of enabling employees to see their data, change it as necessary, and understand how it is being used. This is where self-service comes in.
If your workforce can manage their own data through self-service functionalities in a HR or People system, then everything is suddenly significantly easier. This also means that you can automate processes and notifications to the HR or People team regarding changes they may have to make when personal data is updated.
The GDPR also allows employees to access their personal data if they wish, and in some circumstances, have their personal data erased. Make sure you have processes for identifying, rectifying and deleting the data in line with requests.
Tailor data access and control so only those with the permissions have access
Do you know who can access your employee data? Update your permission settings for your HR or People system to ensure that only relevant HR and People team members can access personal data. Remember, you may need to communicate to employees who can access their data if they request information on this, so take this into account when deciding permissions.
Ensure your people data is in a secure single source of truth
To prepare for GDPR, you need to securely document all the personal data you hold, including information on where it came from and who you share it with. This is hard when your data may be currently across spreadsheets or multiple disparate systems. A single cloud-based HR and People system will help with this, so if you don’t currently have one it’s time to start looking.
We know there’s a lot to think about, so, Sage has prepared an in-depth guide to help teams take appropriate steps to get ready, including a comprehensive readiness checklist.
Ultimately, the GDPR is one of the biggest shakeups ever seen affecting how personal data should be handled. As gatekeepers and processors of personal data, HR and People teams have a crucial role to play.
Get GDPR sorted.
Visit Sage’s essential GDPR hub for HR and People leaders at www.sagepeople.com/gdpr