The General Data Protection Regulation will apply from 25 May 2018. The new legislation introduces new requirements backed by higher penalties. These requirements include a greater emphasis on data security, transparency and accountability, together with enhanced rights for ‘data subjects’, which includes your employees.
GDPR makes gaining control over your HR data, wherever it is stored, more important than ever before.
Keep HR data secure
The GDPR requires ‘personal data’ to be processed in a manner that ensures its security. Personal data is defined as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’, and covers paper files, spreadsheets and digital documents. The onus is on you as the data controller to demonstrate, for example, that you know where the information is held, why you collect it, how it is used and who has access to it, as well as have effective systems in place to secure it and report any data breaches.
With Cezanne HR, you can store all your HR information in a single, secure online HR system. You’ll benefit from advanced security at every level, from data encryption and role-based access to your HR system, to hosting within the European Economic Area by AWS, the world-leader in robust, secure Cloud-hosting. Read more about security. Scanned or digital documents are simple to upload into your Cezanne HR system so you don’t need to worry about how to secure or share paper-based records. Costs won’t be excessive either. Data storage, including uploaded documents, is included in your monthly subscription fees.
Improve data accuracy
Under GDPR you are required to ensure that personal data is accurate and complete and to put it right when it is not. This could be almost unmanageable if employees can’t see what data you hold about them in the first place. The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information.
Cezanne HR combines easy-to-manage employee self-service with roles-based security and approval workflows, so you can allow employees to check and update their own information while staying in control. You can configure Cezanne HR to fit your own processes. For example, to decide what information employees can be allowed to edit, whether changes should be approved and by whom, and where local variations make sense. It’s an effective – and secure – way of helping you with compliance, while simultaneously delivering a service that makes life easier for employees and their managers.
Manage data subject requests
Employees (and job candidates) already have the right under current data protection legislation to request a copy of the data you hold about them. GDPR requires that you respond to these requests more comprehensively and more quickly, and removes the right to charge (at least the first time). As employee rights to data under GDPR become more widely known, some experts are predicting a surge in these kinds of requests. Time will tell.
By storing your HR data and documents in one place (your Cezanne HR system), you’ll always know what information you hold about each of your employees. Straightforward reporting and export to Excel for HR administrators means you are better positioned to respond to data subject requests, as well as another requirement of GDPR: the data subject’s right to take their data with them in a manageable, digital format.
Track employee consent
In an employment context, consent is not the most appropriate option for processing most employee data. Read why here. However, there may be occasions when you will need to obtain consent. For example, when collecting and storing information about employees that is not obviously needed to run your organisation, like tracking movements through remote control technologies such as CCTV and GPS, or passing employee information on to a third party for marketing purposes.
With Cezanne HR, you can easily generate personalised communications with e-signatures and track when (and whether) employees have consented. Other important GDPR-related communications, such as updates to your company privacy statements, employment contracts, or data protection policies can be managed and tracked in the same way. As everything is stored centrally, it’s easier for you to see when you may need to refresh consent, and employees can check back at anytime to see what they agreed to.
Simplify data deletion
Once you no longer need personal data for the purpose for which it was collected, data protection legislation says it should be deleted unless you have other grounds for retaining it. These could be for legislative reasons, or if discarding the data too soon would disadvantage your business. To make matters more complicated, the GDPR expressly authorises individual member states to implement more specific rules in respect of the processing of HR-related personal data. It will be important to follow national law developments, in addition to more generic GDPR requirements, and adjust your policies to match.
An important first step is to understand what employee data you hold and why. For example, is it necessary for compliance with a legal obligation, or for the establishment, exercise or defence of legal claims? This will help to inform the basis and timeframe for retaining or deleting data and provide a template against which you can review and delete the employee information you hold in Cezanne HR.
Whatever your approach, it is important that both a regular review process and methodical cleansing of HR databases (and paper-based records) is in place. A handy feature in Cezanne HR is the option to set reminders against leaver records, which can “nudge” HR administrators to revisit employee records. This means you can delete some information at the time an employee leaves, but schedule a reminder to delete other data, such as information relating to pay, working hours, performance or disciplinaries when the relevant period relating to statutory requirements has elapsed.
Build a culture of privacy
While some employees will have greater responsibility than others, data compliance is a company-wide issue. As the UK Information Commissioner, Elizabeth Denham said recently:
“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”
Ensuring that your employees receive appropriate training is part of the solution. With Cezanne HR, you can easily review employee roles and responsibilities, allocate them to appropriate training activities, and set up notifications to trigger a reminder when training or certification is up for renewal or should be refreshed. And, with the integrated performance module, you can embed data security best-practice and discussions around GDPR compliance into employee appraisals, so you can ensure it becomes part of your organisation’s DNA.
Keep employees informed
The GDPR regulations require you provide much more information to employees about how (and why) you use, manage and secure their data, and the rights they have over that data. Some of this is better managed through one-to-one communications, especially when tracking or consent is required. However, there is also an argument for creating an information hub that’s always on and always available.
The Workspaces feature in Cezanne HR allows you to quickly set up dedicated portals, targeted at different groups of employees if required. For example, to address country-specific requirements. The portal manager, or managers (who can be anyone you nominate) will be able to upload relevant documentation, include links to relevant third-party sites, post updates with notifications if required, and provide a question and answers forum for employees. It’s an easy way to ensure GDPR visibility and keep compliance issues top of the agenda.
Click here to view this article as a presentation.
Information Commissioner’s Office:
A comprehensive resource covering all aspects of data protection and GDPR in the UK
Bird & Bird
GDPR Tracker: aims to shows how and where GDPR has been supplemented locally
A usefully indexed version of the General Data Protection Regulation.
Information about Cezanne HR’s security, pricing and HR solution.
To book an online demo or get in touch click here or call 020 7202 2720