Exactly who should be responsible for data protection within an organisation? Should it be a matter for C-level staff only? Or the IT department? The sales and marketing department collecting customer information? Or is it time to appoint a dedicated Data Protection Officer?
The EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It applies to any organisation that processes the personal data of EU citizens regardless of where they are situated. Brexit won’t let UK companies off the hook as the government has announced that the legislation will be brought into UK law.
GDPR enhances and extends current privacy laws. For example, existing data subject rights to receive a copy of data and the right to rectification are extended with shorter time limits for compliance. There are also new rights such as the right to erasure (although these aren’t quite so broad as the much-discussed right to be forgotten) and there are new obligations to report any breaches. In all, it covers around 250 pages which at times lapse into vagueness, so despite its importance it very much requires business to work through it, taking guidance from local bodies and deciding how to adapt working practices in order to conform.
The potential fines have been described as ‘eye-watering’ alongside the reputational risk of being found as non-compliant has focused minds around this issue of responsibility. As a result, many companies have reached a consensus – to make this change happen successfully HR have a key, if not leading role to play.
I would agree. While it may in the short term appear to be a burden, especially as time frames are becoming short, I believe HR teams will rise to the challenge, transforming a chore into a positive initiative. The creation of rigorous guidelines for personnel data will then act as a template for other data held such as information on customers and prospects.
The HR department is already the custodian of the employee interest and engagement, they are also used to leading organisational wide change programmes. Because of all of this they attract a certain degree of trust and confidence which is necessary to ensure that the organisation’s colleagues buy in to the steps being taken to protect their data as well as that of their customers. At the same time as considering the financial and reputational impacts of noncompliance, everyone should consider the impact to employee confidence in their employer should there be a loss or miss handling of HR data.
HR will be familiar with current data protection laws and the processes an organisation has in place to support them. It’s important to know what processes are already in place so that these can be extended to cover the new legislation.
Each business will have to work out how the legislation impacts them and then work out the policies, processes and procedures that must be changed to support the legislation. HR teams are accustomed to writing policy, creating processes and communicating them so that everyone can follow. They are also the experts in training staff too - a necessary task so that everyone understands why certain steps are taken.
They also have good knowledge of risk and employee behaviour. They will understand that staff requests to view data are bound to grow and be more than capable of dealing with this increase, preferably through clear, well-defined paths of communications and strong process.
It must be remembered that GDPR is still a business-wide challenge and privacy and security measures need to be integrated into processes across the board. There’s no doubt that IT departments will need to work closely with HR – especially as to where data is being held and how to access it. The new right to erasure will require knowledge of any hidden silos of information and potentially technical expertise to remove or archive it. Getting a clear data retention policy is a time-consuming process as the legislation doesn’t in anyway override the need to keep other records for other legal purposes such as that of auditing payments, etc. The benefits of getting this right give your teams a clear guide on what to hold and for how long and really take the ambiguity out of some of the decision-making process.
Personally, I can’t remember another security and data protection initiative that has focused and led to such engaging and open conversations. The level of transparency we are seeing between our organisation, our suppliers and our customers is at an all-time high and personally I believe this is leading to greater confidence in the supply chain and stronger relationships. So, it’s important not to focus on the fines for non-compliance, but rather the positive results – the focus on driving greater collaboration between the internal units of the business and also externally with customers, partners and suppliers. If HR can lead the way, championing this positivity and showcasing their expertise in personal data issues it can only be good for them – and for the business.
We’ve been working with our customers who are implementing GDPR for a while now and the level of activity is ramping up now May 2018 is in sight. There’s no doubt that adoption is not just about data security – it’s an opportunity for cultural change and a new way of working.
Charlie Knox -
Head of Technology
If you want to learn best practice in handling data in light of the General Data Protection Regulations (GDPR), you can do no better than to look at DuPont. Now part of science giant DowDuPont following a merger last year, data is part of the DNA of the organisation and it has a long history of embedding data protection into its culture.
12 March 2018
6 September 2017
With the 25th May deadline only a month away, it is more important than ever for HR and payroll departments to ensure that they are GDPR compliant. If organisations are not compliant the penalties are significant, with fines of up to €20m or 4% of global revenue, and companies will undeniably suffer from significant brand damage.
So, what should HR and payroll teams do during the next month to ensure that they are compliant and ready by the deadline?
9 April 2018
In the upcoming webinar, titled ‘GDPR: Dealing with the data rights of your employees’ and brought to you by SD Worx and global law firm DLA Piper, HR professionals can learn about data subject rights ahead of the General Data Protection Regulation (GDPR). This is the first in a series of GDPR guidance webinars to be launched in the run up to May next year.
22 November 2017
On Thursday 30th November, the SD Worx and DLA Piper teams hosted the first webinar in our General Data Protection Regulation (GDPR) series. This webinar focused on the HR and payroll industry and how it should manage the data rights of employees.
11 December 2017
With the General Data Protection Regulation (GDPR) deadline just four months away, is your organisation prepared? To help get your HR and payroll department ready for when the regulation takes effect on 25th May, we’ve put together a checklist that includes the essential steps to compliance.
8 January 2018
With the GDPR deadline just four months away, are you prepared? To help get your HR and payroll department ready for when the regulation takes effect on 25th May, we’ve put together a checklist of essential steps to compliance.
19 January 2018
We all know GDPR is coming, but is your business really prepared for it? To help get your HR and payroll department ready for when the regulation takes effect on 25th May 2018, we’ve put together a GDPR checklist.
25 October 2017
Once GDPR comes into effect, companies must provide employees and data regulation authorities with carefully-documented data information. To simplify this process, these records should be stored in the form of a data register, filled in by HR and payroll professionals, alongside other departments within the organisation. However, how should HR and payroll departments set up and maintain a data register?
5 March 2018
With the implementation of the General Data Protection Regulation (GDPR) next month, if an organisation is working with HR and payroll vendors, it will be their responsibility to ensure that these business partners are GDPR compliant. Any external organisation that handles the data of employees or customers must be compliant, otherwise the organisation is also at risk of breaking GDPR regulations.
26 April 2018
18 October 2017
Having joined the GDPR bootcamp for Marketers in Reading on the 15th of September, I wanted to share what I have learned during this full on (but very enlightening) day in an easy to digest blog:.
2 October 2017
With the General Data Protection Regulation (GDPR) due to take effect in less than four months’ time, it’s essential that HR managers understand exactly what the regulation entails.
15 January 2018
On Wednesday 25th January, SD Worx and DLA Piper hosted the second webinar in our General Data Protection Regulation (GDPR) series focused on implementing an appropriate retention of employees’ data.
29 January 2018
PAREXEL provides best practice examples to international organisations.
With the General Data Protection Regulation (GDPR) coming into effect in May 2018, all organisations who handle data of EU citizens will need to comply with new guidelines. By nature, HR departments hold personal and sensitive employee data, including payroll data. However, with an increasing amount of payroll and HR departments adopting automated payroll processes, the question arises: how do you become compliant in a digital world, especially if you are an international company?
With just three months to go until the General Data Protection Regulation (GDPR) comes into force, the clock is ticking for HR and payroll managers to get the systems and processes in place to ensure compliance. The regulation, coming into effect on 25 May 2018, updates data rights for today’s networked world and organisations ignore it at their peril. A major infringement could cost a company up to 4% of its global revenue while there is a penalty of 2% of global revenue if records are not in order or a supervising authority and data subjects are not notified within 72 hours when personal data is exposed in a security breach.
19 March 2018
2 October 2017
With GDPR on the horizon, are your HR and Payroll departments prepared? With large fines and serious damage to your business’ reputation at stake for non-compliance, here’s how you can become GDPR compliant in five practical steps:
20 December 2017
Once GDPR takes effect on 25th May 2018, organisations that fail to process data correctly, report security breaches within a set time period, or comply with data regulations, will face fines and brand damage. These legislative changes emphasise how HR and payroll professionals need to be more security-conscious than ever before.
14 March 2018
With GDPR fast approaching, SD Worx commissioned an independent survey of HR and payroll professionals across nine European countries to determine GDPR readiness in the industry. These countries included The United Kingdom, France, Germany, Switzerland, Belgium, Ireland, the Netherlands, Austria and Luxemburg.
19 December 2017
Payroll, and the importance of payroll, is everywhere. Whether in Italy, France, or in Belgium, payroll is a crucial part of any organisation. Employees are the heartbeat of an organisation, so ensuring that they are paid on time and correctly is essential
17 May 2018
In February, SD Worx hosted its European Conference 2018 at Hilton on Park Lane, London, with over 800 attendees and 30 expert speakers. One of the sessions, titled ‘How to be internationally compliant in a digital world’, was hosted by Gert Beeckmans, chief risk and security officer SD Worx, and Frank Rudolf, director of payroll at PAREXEL. Here are their top five lessons on implementing GDPR:
1 March 2018
14 February 2018
With just six months to go until the General Data Protection Regulation (GDPR) takes force, payroll departments need to ensure they know what’s coming, or risk paying for it later. The stakes are high, as businesses that fail to comply with GDPR could face fines of up to 4% of their total annual revenue.
13 November 2017