Guest Blog by Dean McGlone, Sales Director at V1
According to the head of the NCA’s National Cyber Crime Unit (NCCU), businesses have a crucial role in fighting cybercrime. As custodians of sensitive ‘people data’, HR professionals naturally have a role to play too. But while ongoing stories about data breaches have haunted HR professionals because of the weight of the sensitive information they hold, the General Data Protection Regulation (GDPR) will throw a lifeline to data-swamped HR departments.
The regulation, which comes into force in less than six months, should be seen as an opportunity for HR professionals to think carefully about their data processes, ensuring they treat personal data correctly and plug any gaps in compliance. In addition, organisations will be able to build more trusted relationships with their employees as a result as well as also identify new opportunities such as unused skills among existing staff, or pinpoint training requirements.
Now is the time for HR professionals to review their current technologies and decide whether they will be fit for purpose come 25th May 2018.
Here are seven questions HR departments should be asking themselves:
1. Can you easily find documents and know which individuals are named in each?
2. Are all the documents stored in one location?
3. Are you confident you’ve got all the information you need?
4. Do you know how many copies of the data exist?
5. Can document access be restricted to authorised employees?
6. Could documents get into the ‘wrong hands’?
7. Are you easily at risk of a security breach?
GDPR compliance might seem like a daunting task for some, and a good starting point is an automated document management system. Storing, managing and tracking electronic documents and electronic images of paper-based information in one place and in real-time, will ensure compliance requirements by providing traceability on all documents. This can help with:
The right to be forgotten
With paper files, locating and erasing data on employees is a time-consuming and difficult task. Information could easily be spread over many different sites and locations, and be duplicated or even lost. Using an automated system means all files are stored in a single and secure location, and finding and erasing the relevant ones is a much simpler and efficient process.
Under the new GDPR rulings, organisations should only keep personal data for as long as is necessary, and for the purpose for which it was obtained. Therefore, details of unsuccessful job applicants should be removed following the end of the recruitment process, unless a candidate has given their explicit consent for the organisation to hold onto it. Also, employers should only keep limited data relating to employees who leave. This will mean HRs must ‘prune’ employee data as part of the exit process; a tricky and time-consuming job without the right systems in place.
Consent rights have been strengthened for individuals under the GDPR. Of critical importance to HR professionals will be that organisations must not only be able to prove they obtained permission to store and use data from an individual; but also electronic copies of private records on-demand. This will be difficult ask for organisations without the right systems to manage the process.
Privacy by design
The GDPR also talks about ‘privacy by design’, whereby data protection is hardwired into the processes and behaviours of the organisation. A single system can help ensure everyone is working in the same manner and to the same procedures. It can also show strong compliance by evidencing all communications and involvement with a client as well as controlling who has access to what data.
The right to access
Under the GDPR, individuals have the right to access their personal data. The information provided to an individual must be done using ‘reasonable means’ and within one month of receipt. Using a document management system means information is stored in one setting, can be easily accessed, and efficiently sent to the individual within the set timescale. All user actions within such system have audit trails and documents cannot be accidentally deleted, providing confidence the right data can easily be passed on.
The right to data portability
This allows individuals to move, copy or transfer personal data easily and securely from one IT environment to another. Fulfilling this request is made easy with technology – all the information can be easily located, retrieved and sent on within the set timescale in an approved format.
Breach notification standards
The GDPR introduces a duty on all organisations to report certain types of data breach to the relevant authority, and in some cases to the individuals affected, within 72 hours of becoming aware of it. A breach can be identified and reported immediately using automation systems– something that is nearly impossible to do when dealing with paper documentation in various locations.
While the GDPR will have a huge impact on every organisation, HR departments will be one of the hardest hit. In the long term, this will have many benefits. But with the clock ticking, it’s crucial HR teams carefully assess their current processes and procedures to ensure they meet new requirements now – or face the fines later.