SATURDAY, JUNE 06, 2020 LawsWorkplace Today AdvertisingContact

Take a look at Workplace Today® for workplace news. Each month you'll benefit from well-researched legal information, detailed case studies on timely issues and concise reporting on today's labour trends from the best in the business. In short, a wealth of fresh information for today's managers and supervisors. Subscribe today!

Online Magazine
This Month
Free Preview

Click here for permission to reprint this article

Renew your Online Subscription!

10 Things HR Professionals Need To Do Before the GDPR Comes Into Force
Paul Burrin

There are only a few days until the General Data Protection Regulation (GDPR) comes into force, which will govern the levels of protection and privacy for all individuals. It represents one of the biggest shakeups as to how personal data should be handled.

As gatekeepers and processors of personal data, HR and People teams have a crucial role to play. So, as time is ticking before the new regulation is law, here’s a checklist of things you need to have actioned in preparation.

1. Identify why you need that personal data

As an employer, you must have a lawful basis to gather and process personal data. In most cases, this will be for lawful, contractual or legitimate purposes. For example, you may need to gather candidate contact information for communication purposes, or you may need social security numbers for tax and payment purposes.

However, in some instances, you may need to obtain consent from the individual to use the data for a specific purpose that falls outside the usual employer-employee relationship.
Action: Make sure you have clearly identified the lawful basis for all personal data you are capturing to manage data and consents accordingly.

2. Capture and manage consent for personal data

Under the new GDPR rules, where you process data on the basis of consent, that consent must be a freely given. In fact, it must be specific, informed and a clear indication of the individual’s wishes as shown by a statement or by a clear affirmative action. So, assumption, pre-ticked boxes, no reply email and inactivity do not amount to consent.

Furthermore, you also need to keep a record of this consent. Consider how you will track and update consent against each data point so that if consent or circumstances change, you are able to make the necessary adjustments quickly.

Action: get consent for the data you hold, make it easy to amend when necessary and set up an action to revisit periodically whether you still need the consent.

3. Keep employees informed about their personal data rights

The GDPR gives employees significantly more control over their personal data so as employers you need to let them know this.

Action: Keep your employees informed. Update your privacy notice statements for all employees and candidates explaining: what data you hold on them, what you’ll do with that data, where it is stored, how long you’ll hold it and what their rights are in respect of that data.

4. Use self-service to manage data access requests quickly and efficiently

Employees have always been entitled to request information about the data you hold on them, but The GDPR now makes this more accessible for employees. You’ll need an efficient way of enabling employees to see their data, change it as necessary, and understand how it is being used. This is where self-service comes in.

If your workforce can manage their own data through self-service functionalities in a HR or People system, then everything is suddenly significantly easier.

This also means that you can automate processes and notifications to the HR or People team regarding changes they may have to make when personal data is updated.

Action: manage change through automation and introduce self-service functionality to your HR systems.

5. Ensure you can provide data in an accessible format, and delete it, if requested

The GDPR allows employees to access their personal data if they wish, and in some circumstances, have their personal data erased.

Make sure you can provide the information requested in an accessible and machine-readable format, such as CSV, and you have processes for identifying, rectifying and deleting the data in line with requests.

Some cloud HR and People systems, such as the Sage Business Cloud People system, enable you to export data in the necessary formats and to anonymize and delete data where required.

Action: ensure the data you hold is held in an accessible format and easy to amend.

6. Audit all personal data held on employees

Does your department have boxes of paper scattered across the office? Bringing all your data into one place doesn’t just mean getting a handle on your electronic information but understanding and auditing paper copies you might have also.

Action: Securely destroy information you no longer need or have a legitimate reason to store. Upload any necessary data you still need to retain to your electronic single source of truth, before then securely destroying this too when ready. If you retain any of this paperwork electronically, make sure you have consent to do so.

7. Control who has access to the data

Do you know who can access your employee data? Carry out an audit of permissions to assess who needs to access what, why and when. Remember, you may need to communicate to employees who can access their data if they request information on this, so take this into account when deciding permissions

Action: Update your permission settings for your HR or People system to ensure that only relevant HR and People team members can access personal data.

8. Hold data security in a single source of truth

To prepare for the GDPR, you need to securely document all the personal data you hold, including information on where it came from and who you share it with.
This is hard when your data may be currently across spreadsheets or multiple disparate systems.

Action: Introduce a single cloud-based HR and People system, this will help control the data more effectively and give you greater confidence that what you hold is accurate.

10. Assess suppliers for their ability to comply with GDPR

Are the systems you use fully committed to ensuring your business is GDPR ready? Sage has a proactive GDPR strategy in place and are committed to ensuring the Sage Group products are GDPR ready. We are fully committed to our customers’ success, and regularly review our products to assist with this.

Action: Engage with your suppliers to check they are ready for the regulation.

For more advice about GDPR please see

Paul Burrin is Vice President, Sage People, a cloud HR and people system that helps transform mid-sized global businesses into people companies, masters at recruiting, managing and engaging talented employees.

This Month
Workaholics Rejoice: Work as Much as You Want

Don’t Settle for Managers. Develop Leaders

Why Multitasking May Be Bad for Business

Employer Not Vicariously Liable for Employee’s Alleged Sexual Assault

Employer Unfairly Terminated Employee for Incompetence, Arbitrator Finds

Termination for Smoking Marijuana at Work Was Not Discriminatory

10 Things HR Professionals Need To Do Before the GDPR Comes Into Force

Imagining Canada’s Economy Without Immigration

Government of Canada Funds Digital Technologies to Improve Accessibility for Canadians with Disabilities

Fed. Gov't Launches Future Skills Centre and Council Call for Proposals/Applications

Investment Will Help Create and Maintain More Than 200 Jobs and Promote Innovation in Atlantic Canada

Fed. Gov't Announces New Approach to Address Pay Issues

Keeping Current with Workplace Trends is becoming Essential for Canadian Employers

BC: Prov. Officially Proclaims International Workers’ Day

AB: Fed. Gov’t. Helps Indigenous Apprentices in Alberta Complete Their Technical Training

AB: Remember to Keep Cool When Working in the Heat

AB: Oil Sands Innovation Cuts Emissions, Creates Jobs

SK: Fed. Gov’t Provides Skills Training and Job Opportunities For Young Canadians In Saskatoon

SK: Young Workers Reminded to Take the Young Worker Readiness Certificate Course

ON: Prov. Passes Fair Wage Legislation to Protect Workers

NB: Prov. Invests $11.4 million to support research and development

NB: Fed. Gov’t Provides Skills Training and Job Opportunities For Young Newcomers In NB

NL: Changes to Corporations Act Support Immigration and Economic Growth

Half of Canadians Have Experienced A Mental Health Issue

Canada Falls in Innovation Rankings, As Weaknesses Persist

Warning: No part of may be copied or transmitted by any means, in whole or in part, without the expressed written permission of the Institute of Professional Management. Workplace Today®, HR Today®, Recruiting Today®, and Supervision Today® are trademarks of the Institute of Professional Management.

For permission to reprint, please click here.

© IPM Management Training and Development Corporation 1984-2020 All Rights Reserved
IPM Management Training and Development Corporation dba IPM- Institute of Professional Management