19 March 2018 - Reading time: 4 Minutes
With just three months to go until the General Data Protection Regulation (GDPR) comes into force, the clock is ticking for HR and payroll managers to get the systems and processes in place to ensure compliance. The regulation, coming into effect on 25 May 2018, updates data rights for today’s networked world and organisations ignore it at their peril. A major infringement could cost a company up to 4% of its global revenue while there is a penalty of 2% of global revenue if records are not in order or a supervising authority and data subjects are not notified within 72 hours when personal data is exposed in a security breach.
Here are six things you should be doing now to prepare for GDPR:
In essence GDPR comes down to the rights of individuals and their data, and the way organisations manage and protect that data. While many of the rights are already covered in existing legislation, there are significant enhancements including the new right to erasure (commonly known as the right to be forgotten) and the right to data portability. Those in HR and payroll will need to consider payroll and employee benefits data, employee performance data and recruitment data. It is vital to get leadership buy-in and ownership of the adoption of GDPR. Create a corporate policy – a company statement explaining how you manage employee data, such as what information is collected, how it is collected, how long it is stored for, what systems are used and how data is stored. This information has to be delivered in plain language that can be easily understood, so don’t write it in ‘legalese’ with a large disclaimer! Make sure you can demonstrate that you have provided this to employees, for example through an intranet. Set up standard operating procedures, such as how and where employees can issue a request to access their data, how you can validate the identity of that employee and who in HR will be responsible for dealing with data requests. Create a process for checks. For example you may need to check with legal if there is an ongoing dispute with that employee before changing data.
This is likely to be the first thing GDPR enforcers ask to see. However, you can’t protect what you don’t know you have. So, the first thing to discover is exactly where all types of data sit in the organisation. Check what software applications you have, spot potential gaps such as legacy software, consider what is used locally and what is used globally, and check for any applications currently in development versus ‘live’. Developing an exhaustive register is not easy so start by making an inventory, but don’t go too deep – you don’t want 900 fields in payroll! Is there a centralised corporate register already in existence to which you can attach your employee data? Assign an information owner to each category of data and ensure they are tasked with keeping the register updated, with at least one review a year.
Existing regulation specifies companies should not keep data longer than needed but there is little enforcement of this. Under GDPR you not only need explicit consent of the person for each specific purpose for which you are using it, but also you need to be explicit about how long you keep data records – and there will be a significantly higher sanction for non-compliance. The principle is one of minimisation, or privacy by design. In other words, the default settings or processes should protect the privacy of the employee without his or her manual input. So clearly communicate how you will use data and define minimum and maximum retention times. Don’t forget to get this validated by your legal team, for example to ensure compliance with other employment laws. As mentioned, employees can withdraw their consent at any time, request a copy of their data and request its erasure. In HR, it’s important to consider other legal implications of this right to be forgotten, for example the need to keep records for any potential litigation.
GDPR says you have to access risks and take appropriate measures to ensure the integrity of data. So, look at your own processes and ask yourself, what could go wrong in terms of the confidentiality, security and availability of personal data? What if it were your own data, or that of your mother or best friend? Would you feel your data was safe and the procedure clear? What if you are an employee in a different geography? Define and document all regions in which employees work. What if you work in an open environment? Think about clean desk and clean screen policies. And lead by example – this is not just an IT issue.
One of the biggest challenges is embedding GDPR principles into the culture of the business. Provide training and guidance to employees to ensure data rights protection is part of the DNA of the business. Think about the ‘small’ things. For example, how many times have you picked up printed CVs or Excel sheets before the person who printed it got to the printer? What about email? Employees need to be mindful of ‘Reply All’ or sending emails to the wrong person in their address books.
You are not alone in the data ecosystem. Make sure you challenge your HR and payroll providers to ensure they are compliant. Review agreements with third party providers and review software and the design of that software. Any reputable third-party provider, such as SD Worx, will be happy to collaborate and help you to move to GDPR compliance.
When it comes to being digitally compliant in an international world, GDPR will pose many challenges for HR and payroll departments. Many organisations will need to change their policies and adapt as they go, learning from other companies. Make sure that your organisation—and any third parties who handle or process your company or employee data—are GDPR compliant. This will remove the risk of GDPR sanctions in the short and long-term, and will give you peace of mind when it comes to GDPR compliance. SD Worx aims to give guidance and provide news on this historic legislation from an HR and Payroll stand point which will impact businesses across the globe. Follow our monthly GDPR webinar - check the complete schedule and register here. You can also visit visit our GDPR Page or email us at WeAreGlobal@SDworx.com. For commercial questions contact us here.
Twelve months ago, HR and payroll teams around the world were preparing for the changes that the new General Data Protection Regulation (GDPR) was set to bring to the industry. So, how are they coping with compliance today?23 May 2019
With the festivities over and the new year well underway, as we return to work, many may have already given up on their new year’s resolutions for 2019. However, when it comes to new year resolutions in the HR and payroll industry, there are many resolutions that HR and payroll teams should commit to which will ensure that their payroll is powerful and running efficiently throughout the year.10 January 2019
It’s likely that no matter whether an organization works in the EU or not, its heard of the General Data Protection Regulation. GDPR, which was implemented on the 25th May 2018, changes the ways that data is processed, stored, and used by organizations.9 November 2018
On 31st October, SD Worx is hosting an exclusive webinar, in collaboration with Ascender (also a member of the Payroll Services Alliance), to discuss the General Data Protection Regulation (GDPR) and how it affects organisations outside of the EU19 October 2018
If no agreement between the UK and the European Union is reached at the EU summit on 18 and 19 October, the transitional period that would have applied until the end of 2020 will expire. As a result, on 29 March 2019, the UK’s membership in the EU will end, and EU law will no longer apply. If your company employs people in or from the UK, this change could be far-reaching. So, take the bull by the horns and avoid unpleasant surprises caused by a ‘no deal’ scenario by making the right preparations.16 October 2018
In the lead up to 25th May 2018, the General Data Protection Regulation (GDPR) was everywhere as organizations across Europe (and further afield) prepared for stricter regulations on handling customer and employee data. Three months have passed since its implementation, but what’s new with GDPR?20 August 2018
Payroll, and the importance of payroll, is everywhere. Whether in Italy, France, or in Belgium, payroll is a crucial part of any organisation. Employees are the heartbeat of an organisation, so ensuring that they are paid on time and correctly is essential17 May 2018
With just six months to go until the General Data Protection Regulation (GDPR) takes force, payroll departments need to ensure they know what’s coming, or risk paying for it later. The stakes are high, as businesses that fail to comply with GDPR could face fines of up to 4% of their total annual revenue.14 May 2018
With the implementation of the General Data Protection Regulation (GDPR) next month, if an organisation is working with HR and payroll vendors, it will be their responsibility to ensure that these business partners are GDPR compliant. Any external organisation that handles the data of employees or customers must be compliant, otherwise the organisation is also at risk of breaking GDPR regulations.
26 April 2018
With the 25th May deadline only a month away, it is more important than ever for HR and payroll departments to ensure that they are GDPR compliant. If organisations are not compliant the penalties are significant, with fines of up to €20m or 4% of global revenue, and companies will undeniably suffer from significant brand damage.
So, what should HR and payroll teams do during the next month to ensure that they are compliant and ready by the deadline?9 April 2018
Once GDPR takes effect on 25th May 2018, organisations that fail to process data correctly, report security breaches within a set time period, or comply with data regulations, will face fines and brand damage. These legislative changes emphasise how HR and payroll professionals need to be more security-conscious than ever before.14 March 2018
If you want to learn best practice in handling data in light of the General Data Protection Regulations (GDPR), you can do no better than to look at DuPont. Now part of science giant DowDuPont following a merger last year, data is part of the DNA of the organisation and it has a long history of embedding data protection into its culture.12 March 2018
PAREXEL provides best practice examples to international organisations.
With the General Data Protection Regulation (GDPR) coming into effect in May 2018, all organisations who handle data of EU citizens will need to comply with new guidelines. By nature, HR departments hold personal and sensitive employee data, including payroll data. However, with an increasing amount of payroll and HR departments adopting automated payroll processes, the question arises: how do you become compliant in a digital world, especially if you are an international company?12 March 2018
Once GDPR comes into effect, companies must provide employees and data regulation authorities with carefully-documented data information. To simplify this process, these records should be stored in the form of a data register, filled in by HR and payroll professionals, alongside other departments within the organisation. However, how should HR and payroll departments set up and maintain a data register?
In February, SD Worx hosted its European Conference 2018 at Hilton on Park Lane, London, with over 800 attendees and 30 expert speakers. One of the sessions, titled ‘How to be internationally compliant in a digital world’, was hosted by Gert Beeckmans, chief risk and security officer SD Worx, and Frank Rudolf, director of payroll at PAREXEL. Here are their top five lessons on implementing GDPR:1 March 2018
With the General Data Protection Regulation (GDPR) around the corner, employees will soon have the right to know the status of the personal data that companies retain. Ex-employees and unsuccessful applicants can also request that their data is discarded (if the necessary period for keeping their data has expired). Because of this, it’s important that data is processed and stored clearly and correctly.14 February 2018
On Wednesday 25th January, SD Worx and DLA Piper hosted the second webinar in our General Data Protection Regulation (GDPR) series focused on implementing an appropriate retention of employees’ data.29 January 2018
With the GDPR deadline just four months away, are you prepared? To help get your HR and payroll department ready for when the regulation takes effect on 25th May, we’ve put together a checklist of essential steps to compliance.19 January 2018
With the General Data Protection Regulation (GDPR) due to take effect in less than four months’ time, it’s essential that HR managers understand exactly what the regulation entails.15 January 2018
With the General Data Protection Regulation (GDPR) deadline just four months away, is your organisation prepared? To help get your HR and payroll department ready for when the regulation takes effect on 25th May, we’ve put together a checklist that includes the essential steps to compliance.8 January 2018
With GDPR on the horizon, are your HR and Payroll departments prepared? With large fines and serious damage to your business’ reputation at stake for non-compliance, here’s how you can become GDPR compliant in five practical steps:20 December 2017
With GDPR fast approaching, SD Worx commissioned an independent survey of HR and payroll professionals across nine European countries to determine GDPR readiness in the industry. These countries included The United Kingdom, France, Germany, Switzerland, Belgium, Ireland, the Netherlands, Austria and Luxemburg.19 December 2017
On Thursday 30th November, the SD Worx and DLA Piper teams hosted the first webinar in our General Data Protection Regulation (GDPR) series. This webinar focused on the HR and payroll industry and how it should manage the data rights of employees.11 December 2017
In the upcoming webinar, titled ‘GDPR: Dealing with the data rights of your employees’ and brought to you by SD Worx and global law firm DLA Piper, HR professionals can learn about data subject rights ahead of the General Data Protection Regulation (GDPR). This is the first in a series of GDPR guidance webinars to be launched in the run up to May next year.22 November 2017
With just six months to go until the General Data Protection Regulation (GDPR) takes force, payroll departments need to ensure they know what’s coming, or risk paying for it later. The stakes are high, as businesses that fail to comply with GDPR could face fines of up to 4% of their total annual revenue.13 November 2017
We all know GDPR is coming, but is your business really prepared for it? To help get your HR and payroll department ready for when the regulation takes effect on 25th May 2018, we’ve put together a GDPR checklist.25 October 2017
Exactly who should be responsible for data protection within an organisation? Should it be a matter for C-level staff only? Or the IT department? The sales and marketing department collecting customer information? Or is it time to appoint a dedicated Data Protection Officer?18 October 2017
We have previously discussed what the General Data Protection Regulation (GDPR) is, when it will come into play and the consequences of breaching it. In this blog, we want to focus on the key provisions of GDPR and how it will affect businesses.
Having joined the GDPR bootcamp for Marketers in Reading on the 15th of September, I wanted to share what I have learned during this full on (but very enlightening) day in an easy to digest blog:.2 October 2017
The Chief Legal Officer of SD Worx, Jacqueline Raison, has written some useful information on GDPR and what it might mean for your organisation. This is the second of a series of articles on the steps we are taking at SD Worx to ensure GDPR compliance.
Chief Legal Officer of SD Worx, Jacqueline Raison, has written some useful information on GDPR and what it might mean for your organisation. This is the second of a series of articles on the steps we are taking at SD Worx to ensure GDPR compliance.Jacqueline Raison - 6 September 2017