GDPR checklist: What have you done to prepare?

Employers must review the rights of their employees under GDPR in detail and have a thorough understanding of them now, to ensure compliance when the regulation takes effect. Here’s how:
 

• Obtain a good understanding of data subject rights under GDPR.
• Develop an intranet page on how you manage your workers’ personal data written in clear and plain language that your workers understand.
• Set up a procedure for dealing with (potential) requests from workers, addressing questions such as:
  • Where can they issue a request?
  • How will you validate the identity of the requestor?
  • Who in your HR department follows-up and manages the request?
  • Where and how do you register the request and keep track of it (evidence!)?

GDPR requires you to keep “a record of processing activities” which basically is an inventory of the personal data you are processing.

• Make an inventory of the categories of data you hold. Examples of such categories are:
  • Payroll and employee benefits date
  • Employee performance data
• Recruitment data of candidates that were not withhold
• Assign an information owner for each category of data.
• Check with your DPO, legal or compliance manager if there is a centralized, corporate personal data register.
• Have the information owners complete the personal data register and keep it up to date.

Keeping personal data longer than required has become a real liability with GDPR, and businesses need to make sure they get rid of it now.
Existing privacy laws already stipulated that you can only retain personal data for a period that is not longer than the one necessary for the purposes of the data processing. Implementing a data retention strategy for HR records is anything but simple and will be one of your bigger challenges.

• Go through your data register, and list the reasons you have for keeping your data such as:
  • Legal minimum retention periods (check with your legal department)
  • Your liability as an employer
• Services you deliver to your employees based on the data
• Based on these reasons, define the minimum and maximum retention periods for each category of data and have these validated by your legal department. Sit together with your IT department and your partners(!) to get these requirements implemented.
  X Don’t forget your paper-based records.

GDPR makes you liable as a data controller if you do not have sufficient guarantees that 3rd parties your work with are compliant.

• Review and complete the list of your HR/payroll business partners and evaluate if they have access to your personal data.
• Request a clear statement and more information from your partners on what they are doing to ensure compliance GDPR compliance. Be prepared to challenge them.
• Ensure a GDPR compliant data processing agreement is in place. Have a checklist ready to check proposed agreements.
• Integrate GDPR requirements in RFI/RFP templates and update your partner selection process to ensure you only work with partners that can guarantee compliance.

Revise your project management lifecycle and include these steps:

•  Define and document security & privacy requirements as part of every HR project.
• Test the requirements before you go live.
• Review the existing security measures in your HR department from a data subject perspective.
• Take the lead in your HR department by demonstrating and emphasising the importance of following security policies.

By following these steps now, you can achieve peace of mind that your HR and payroll department is ready for when GDPR comes into force. Take ownership of your data and make surely you fully understand the regulation’s implications to achieve compliance (and avoid potentially disastrous business consequences in the form of hefty fines).