The new data protection and privacy law was introduced on May 25. The law known as GDPR created a division in data protection and is gradually replacing the existing laws about individual protection and privacy.
Moreover, the GDPR supports EU’s belief that every person has the right to protect their own data. On a global level, GDPR applies to companies in the Middle East and worldwide. Specifically, companies that handle personal data or offer goods and services to European residents and citizens.
As data breaches and infringements have wiped out companies in the Middle East and organisations that are transacting business with the EU. It is essential that they are aware of the new regulations in place. Especially, human resources teams in the region, as they play a vital role as gatekeepers of personal data.
Let’s take a look at the 9 things you should know.
Identify why you need the personal data
Data that is gathered and processed is for legal, contractual or legitimate purposes. For example: gathering information about social security number for tax or payment purposes. However, in some instances you need to get a consent from the person to use their data for a purpose outside the employer-employee relationship.
Capture and manage consent for personal
Under the new law, consent should be taken before processing an individual’s personal data. Moreover, the consent should be taken either in the form of a written statement or by distinct affirmative action. Therefore, pre-ticked boxes, no reply emails and inactivity do not amount to consent. It’s also important that you keep a record of this consent. Consider how you will track and update consent against each data point so that adjustments can be made swiftly.
Keep employees informed about their personal data rights
GDPR provides employees greater control over their personal data. Therefore, as employers, it is vital you keep your employees informed and aware of their rights and choices. These include: what data is held, what will be done with the data, where it is stored and how long for. Moreover, be sure to get your privacy notice statements for all employees and candidates.
Use self-service to manage data access requests
Employees have the right to request information about the data that is being held about them. With GDPR employees have greater accessibility to inquire about their personal data. An effective way to automate everything and make the process easier is to use self-service. This allows you to automate processes and notifications to the HR or teams regarding any changes made to their personal data.
Ensure you can provide data in an accessible format
As GDPR allows employees to access their personal data and even delete. It is important you are able to provide data requested in an accessible and machine-readable format, such as CSV, and that you have processes in place for identifying, rectifying and deleting the data based on such requests.
Audit all personal data held on employees
Keeping unnecessary piles of information can jeopardize data protection. Thus it is wise if you bring in all the data in one place as it can help you handle electronic information and audit soft copies of the data. Furthermore, make sure you destroy any information you no longer require and retain data that you need to keep. However, for any data that you plan to retain make sure you have a consent for it.
Control who has access to the data
It is important you control who can access your employee data. Make sure you carry out an audit of permissions to assess who needs to access what, why and when. Keep in mind that you communicate to employees who can access their data if a request is made. Therefore, begin updating your permission settings for your HR systems to ensure that relevant people can access personal data.
Hold data securely in a single source
In order to adhere to the GDPR standards, it is important you securely document all the personal data you hold. This can include: who you are sharing with and it’s origin. It can be difficult to manage data when it’s distributed across spreadsheets or multiple systems. Therefore, use a single cloud based system that can help you manage and control the data more effectively.
Assess suppliers for their ability to comply with GDPR
Complying with the GDPR regulations can be a complex journey. Therefore , the HR systems should be checked to ensure that your business check if the HR systems you use are fully committed to ensuring your business is GDPR ready. Moreover, look for suppliers who have a GDPR strategy and ensure that their products conform to the new data protection regulations. It is important you engage with your suppliers on a regular bases.