The Seven Steps to GDPR Compliance
The European Union’s General Data Protection Regulation (GDPR) became officially enforceable as of May 25, 2018. GDPR establishes sweeping regulations around the use, protection, privacy, and export of data for all individual persons within the EU. The regulation impacts both EU and non-EU organizations that house the data of EU citizens.
Given the scope and impact of GDPR, organizations have been preparing diligently for its enactment since the regulation was adopted in April 2016. With GDPR now in effect, global HR organizations will need to partner closely with legal, IT, and other data privacy stakeholders to ensure ongoing privacy and security of employee data.
Your Ongoing GDPR Compliance Checklist
- Ensure HR systems have the latest updates and patches – Reduce potential vulnerabilities by maintaining up-to-date versions of all HR software. The number of ransomware incidents and the amount of ransomware demands is expected to increase with the implementation of GDPR, making current, up-to-date software a bare minimum necessity.
- Include HR data audit results in HR performance metrics – HR data integrity and security should be included as key HR operations performance metrics. As the saying goes, what gets measured gets managed.
- Provide ongoing training to HR employees on data sharing and data security best practices – Employees are often the unwitting source of data breach as victims of a phishing attack or by losing a company device. Communicate to employees that they, too, are accountable for maintaining the security and privacy of their personal data, as well as that of the data of their colleagues.
- Revisit access permissions in HR systems – It is key to balance the needs of the business with increasing data privacy constraints. To do so, periodically revisit the level of permissions granted at the group level within HR systems.
- Purge unnecessary data frequently – HR systems house a wealth of employee, applicant, and retiree data, not to mention employee family data. Periodically destroying unnecessary records can eliminate risk and impact if a data breach occurs.
- Hold vendors and third parties accountable – From payroll processing vendors to employee benefits providers, employee data is shared with a host of HR vendors and partners. Ensure those vendors adhere to data integrity and minimization best practices as a safeguard for employees and your organization.
- Take an active role in data privacy oversight – While legal typically owns GDPR governance, HR should have representation on data privacy and oversight committees that are formed to ensure ongoing compliance across the enterprise.
With GDPR now in effect, the mandate for global organizations to be transparent with how data is used and maintain data security is stronger than it has ever been. The consequences of non-compliance are compelling—organizations can be fined up to €20 million (nearly $24 million) or 4% of revenues.
While preparations for the May 25 implementation of GDPR have been extensive, the work to maintain compliance is only beginning. HR organizations, which house a wealth of information about potential, current, and former employees, must adopt an aggressive continuous improvement approach to protect HR data and ensure full transparency around how HR data is used.
The Telegraph: GDPR could result in higher ransomware demands, experts warn
This report is part of the Human Capital Compliance Minute series. To view all featured Minutes, please click here.
Welcome to ScottMadden!
Sussex Economic Advisors is now part of ScottMadden. We invite you to learn more about our expanded firm. Please use the Contact Us form to request additional information.