1. Home>
  2. Resources>
  3. Privacy & Security>

SD Worx European Conference 2018: Top Five Lessons on Implementing GDPR

In February, SD Worx hosted its European Conference 2018 at Hilton on Park Lane, London, with over 800 attendees and 30 expert speakers. One of the sessions, titled ‘How to be internationally compliant in a digital world’, was hosted by Gert Beeckmans, chief risk and security officer SD Worx, and Frank Rudolf, director of payroll at PAREXEL. Here are their top five lessons on implementing GDPR:

    1. It’s not just about IT

    Don’t dive too deep into technicalities. Take a dual approach: (1) IT and systems (2) organisation. HR and payroll managers should take a lead on creating awareness of GDPR within the organisation, providing employee training on data privacy, helping to create corporate policies and standard operational procedures and giving guidance. GDPR is all about the rights of individuals and their data and the way organisations manage and protect that data.

      2. C-level buy in is essential

      Senior management should publicly acknowledge the fact GDPR is coming into force and drive through the organisation the idea of getting ready for it. The CEO should own this, while delegating down tasks and responsibilities.

        3. GDPR rights are balanced with the rights of the organisation

        While there are heavier penalties for non-compliance, new rights to data portability and erasure (the right to be forgotten) and the need to specify a data retention period, this must be balanced with other legislative requirements, such as employment law. Make sure you check with relevant colleagues before making data changes.

          4. You are not alone

          HR and payroll is part of a data ecosystem and your third party systems and software providers need to demonstrate that they are compliant. Ask questions and challenge your providers.

            5. You will not get it perfect first time

            This is a new framework and, in the absence of any case law, you can only interpret GDPR. It is likely you will have to correct it. This is a milestone – regulators will want to see you have a demonstrable process and evidence that you are serious about this. Have a clear action plan and check on a country by country basis.

            More information please contact us.