With just six months to go until the introduction of the new GDPR rules (set for 25 May 2018), there has been plenty of discussion from vendors regarding what you need to consider to ensure that your business is compliant.
We’ve previously written about why HR managers need to be aware of the new legislation but let’s take some time to look at what vendors are saying as the deadline draws closer.
How GDPR will affect HR
The GDPR directive has been established by the EU primarily to ensure that the current data protection laws across Europe are harmonised. For global companies, this means that there will be just one set of privacy legislation to adhere to, but what do HR professionals need to consider as part of these new regulations?
Firstly, it’s important to realise that when it comes to GDPR, there is an equal responsibility between both the data controller (i.e. your business) and the processor (i.e. your chosen technology) to ensure full compliance.
The team at PeopleHR suggest that for most HR professionals, GDPR can be split into four main areas; consent, data rights, subject access rights and breach reporting.
Sage has gone one step further and has suggested that HR professionals will also need to consider “data protection by design”, which is where data protection risks are included in the process of designing any new policies, or processes.
We agree that these are the key areas to consider, but we would also like to draw attention to the fact that depending on your company size, you may need to consider employing a mandatory Data Protection Officer (DPO) to oversee your strategy and implementation of GDPR requirements.
If you’re not sure of what you need to do before May, we recommend that you undertake the GDPR Self-Assessment Questionnaire which has been developed by MHR.
Don’t forget, your HRIS system needs to be compliant too!
We’ve mentioned that your HRIS system needs to be compatible with the new regulations to ensure that all employee personal data is held securely, but what does this actually mean?
PeopleHR suggest that the first thing you should do is to make sure that your vendor is not only registered with the Information Commissioner’s Office (ICO), but you should also see if your vendor is ISO27001 accredited.
This advanced accreditation is the international standard for information security management, so if your vendor has a company certificate, you can be sure that they are treating your employee data with care.
It’s also important for HR professionals to know exactly where your supplier is holding your data, and how often it is tested for security – for example, if you are bound by GDPR, personal data should not be held outside of the European Economic Area.
PeopleHR suggest that you should speak to your HRIS supplier for confirmation of where their data centres are held and they also recommend asking for confirmation of how often your software undertakes penetration tests so you can feel confident that your technology is secure, and resistant to potential hackers.
The focus on HRIS system security has also been echoed by CoreHR who point out that next year, “any breaches in security will have to be reported to the DPA within 72 hours” so it is vital for all HR professionals to understand what procedures are in place to prevent any security breaches, and also what your supplier’s disaster recovery plan is.
Finally, Cascade suggests that your HRIS system should be closely aligned to your IT systems, which will allow you to delete data in accordance with the new ‘right to be forgotten’ element of the GDPR legislation.
How Silver Cloud is uniquely positioned to help you through these changes.
If you’re still unsure about GDPR and would like to get impartial advice on what you need to do, and how HRIS systems can help you prepare, then get in touch.
- We can help you review your existing HR data as well as act as liaison with your HR Systems vendor to ensure compliance.
- If your system allows, we can also help build the relevant reports needed to comply with changes to processing employee data and work with your system vendors to build specialist ‘information notices’ into your current HR self service or intranet.
- For those of you looking to recruit in 2018, we can also help review your recruitment process and suggest changes in-line with the new guidelines.
Our team have years of experience working in HR departments for businesses of all sizes, so we know what your concerns are and how we can resolve them.
We offer completely independent advice on the wide range of cloud-based software so you can trust that we will only ever offer the best solution for your needs.