How to be internationally compliant in a digital world

With the General Data Protection Regulation (GDPR) coming into effect in May 2018, all organisations who handle data of EU citizens will need to comply with new guidelines. By nature, HR departments hold personal and sensitive employee data, including payroll data. However, with an increasing amount of payroll and HR departments adopting automated payroll processes, the question arises: how do you become compliant in a digital world, especially if you are an international company?

HR and payroll departments will need to change the way they handle employee and customer data—both paper and digital—which will likely cause difficulties for payroll professionals. To explore these challenges and offer solutions, Gert Beeckmans, Chief Risk & Security Officer SD Worx, and Frank Rudolf, Director of Payroll PAREXEL, discussed GDPR compliance in our digital world at SD Worx’s European Conference 2018 in London. Here are the key takeaways:

PAREXEL is a multinational life sciences consulting firm, operating in 95 countries. 
In terms of data, PAREXEL processes both personalised and pseudonymized client data. For example, clinical trials have personalised data which is clearly identifiable, and this data is pseudonymised and sent onto the next phase of a clinical trial. Alongside client data, PAREXEL also processes the personal data of staff, including 17,500 employees across 84 offices around the world.

When it comes to dealing with the digital data of both clients and employees on an international level, it is important for organisations to get the HR department on the way to GDPR compliance. To do this, PAREXEL split its approach into three stages—the fundamental, advanced, and long-term vision of data compliance. PAREXEL also focused on the IT-infrastructure as a core aspect and the overall organisation as another, splitting and appointing different roles and responsibilities within the two sections.

For example, for the IT-infrastructure, a fundamental approach was to setup the action plan and appoint key responsibilities, the one of the advanced tasks was to create a software register, and the long-term plan was to maintain documentation. On the other hand, for the overall organisation, one of the fundamental tasks was to ensure C-level buy in, an advanced task was to review employment contracts, and a long-term plan was to train staff for effective GDPR leadership. 
While putting this plan together, PAREXEL understood the importance of C-level acknowledgement of GDPR for both short and long-term activities. Although the long-term goal is to maintain GDPR digital compliance across the countries, there were also fundamental steps that needed to be taken beforehand. These included:

Once a plan is in place, and the key responsibilities are delegated to the necessary departments or individuals, there are various tasks that the HR and payroll department can complete. By doing this, it is clear which policies are in place and who is responsible for them, ensuring that employees are aware of upcoming and ongoing changes. 

Firstly, the HR and payroll department can work with the IT team to develop an intranet page that explains how employees are going to be affected by GDPR. Collaboration is key when it comes to international compliance in the digital world, so departments should work together to produce a clear explanation for employees. This can be done internally—without input from the legal team—as it is important for employees to understand the upcoming changes. The intranet page can explain the rights that employees now have over their data, including right of access, right of correction, right of erasure, and right of data portability, among others. 

Alongside a clear intranet page, organisations should also complete a data register. The data register includes all the personal customer and client data the organisation is processing. Under GDPR, the amount of time a company can hold data is changing, so a completed data register will allow HR and payroll departments to understand where the data came from, why they need it, and when it should be deleted. A simple data register that is filled out correctly will ensure that the organisation is GDPR compliant, and will allow weekly, monthly, or annual reviews to be completed easily.

When developing the data register, an inventory of the categories of data the organisation holds should be listed – for example, payroll and employee benefits, employee performance data, and
recruitment information. Once the data categories have been identified, an information owner should be decided for each one (checking with your Data Protection Officer or legal team that there isn’t a data register already in place). If there is already a data register set up, HR and payroll teams should add to this list, to avoid multiple data registers in a single organisation—even if it is international. 

HR and payroll departments should also set up a procedure on dealing with requests from existing or potential employees. Where can they issue a request? How will the team validate the identity of the requestor? Who in the HR department follows-up and manages the request?

When it comes to data subject rights, PAREXEL ensured that all employees were informed on how HR data is collected and used. Alongside this, every HR professional completes GDPR online training via PAREXEL learning management system. PAREXEL also set up Standard Operating Procedures (SOPs) that define the process for handling data requests of employees—so there is a clear structure in place.

Although existing privacy laws already stated that a company can only retain personal data for as long as it is required, GDPR puts stricter restrictions on holding data. For example, there are significant sanctions if organisations do not comply with data retention rules. 

In an increasingly digital world, it is important that all records of data are destroyed correctly and at the correct time. Based on the data register that the organisation develops, the HR and payroll department needs to list the reasons for keeping the data. These could include:

• Legal minimum retention periods 
• Liability as an employer
• Services you deliver to employees based on the data

By defining the minimum and maximum retention periods for each category of data—and validating these with the legal department—the data will be destroyed when necessary and no sanctions will occur.

--

When it comes to being digitally compliant in an international world, GDPR will pose many challenges for HR and payroll departments. Many organisations will need to change their policies and adapt as they go, learning from other companies. 
Make sure that your organisation—and any third parties who handle or process your company or employee data—are GDPR compliant. This will remove the risk of GDPR sanctions in the short and long-term, and will give you peace of mind when it comes to GDPR compliance. SD Worx aims to give guidance and provide news on this historic legislation from an HR and Payroll stand point which will impact businesses across the globe. For more information please visit our GDPR Page or contact us.