The General Data Protection Regulation has got HR feathers in a flap

All organisations handling personal data are currently quaking in their boots – you can literally hear their soles clacking! Okay, maybe it’s not that bad, but the European General Data Protection Regulation has got HR feathers flapping as they now prepare for its introduction. So, what is it? What do we do? Well, your pals at Engage in Learning have the answers, have updated their workplace training courses and provide some guidance here to help you understand and prepare for compliance…

The General Data Protection Regulation (do you mind of I simply refer to it as the GDPR from here on in? Thanks) comes into effect on 25 May 2018 and will affect companies that fall into two rather broad definitions; controllers, who say how and why personal data is processed, and processors, who then act on behalf of the controllers. Simple enough so far, right?

So, for the processors, the GDPR will now insist that fixed legal obligations are adhered to, such as being required to maintain records of personal data and processing activities. In turn, the GDPR then places further obligations on the controllers to ensure their contracts with the processors comply with the GDPR. Still with me? Okay, let’s step it up.

There are also a number of additional obligations that both controllers and processors in the UK need to know, the biggest one being accountability. Here, the GDPR will require all companies to demonstrate ‘compliance by design’. That is, it is insisting that all companies, be they controllers or processors, ensure that they have adequate systems, contractual provisions, documented processing and staff training in place.

Here’s where it gets a little more tricky, particularly for those HR managers and their staff (who may feel the need to be asking for a pay rise anytime soon!). A huge part of all this concerns any information you may store that can identify an individual, but we’re not just talking names; it can include things such as bio-metric, genetic, cultural and economic information as well as email and IP addresses. Crazy, right? No! We’re giving away so many different types of personal data these days that someone has to make sure this is being controlled and kept safe. Jinkies, I even log onto my laptop with bio-metric data these days! Passwords were just getting too long and complicated (and what’s with all these judgemental scales about whether my hilarious play on rude words is “strong enough”?), so now I just swipe my finger across a sensor on the keyboard, it scans my finger print and, hey-presto, access to pictures of my dog. Anyway, I digress…

There is also the issue of informed consent. You are going to need to be able to demonstrate that you have reasonable steps in place to ensure that you have been explicitly clear when seeking informed consent, and this will include standardised methods of communicating details about how you or your company intend to use the information gathered. This in turn could open a can of worms bigger than a bird avery’s party keg, as we’re also talking language and literacy differences to consider *Shudder*. Also, it’s time to contact all those email addresses you’ve passively gathered in your ‘implicit consent’ groups and ask them if they actually want to be featured on your lists once you explain a few things to them. Go!

So, assuming you agree that all this sounds like a reasonable move forward (and even if you don’t), when do you need to start acting? Umm, now! You need to begin the processes necessary to ensure GDPR compliance. Don’t leave it until the last minute – if you have staff to train, get them trained. Get yourself trained. Get all of you booked onto a GDPR compliance training course without delay. It’s easy. It’s manageable. It’s necessary. Don’t get me started on the massive increase in penalties for data breaches once GDPR is in place..! You have been warned.

So, while it might seem like you have lots of time to hesitate or wait for that elusive moment when you’re not so busy (you know, the one that exists between avoidance o’clock and half passed procrastination), there is a lot to be done. Don’t wait and then leap at the last minute, that practise just doesn’t work out well for anyone. When I was a kid, I tried to jump across a dirty lake. I hesitated and didn’t get a good enough jog on before I got to the edge. Needless to say, I didn’t make it to the other side. Instead my mum just got really angry at me for “ruining my good clothes”. Don’t be that guy. Be smart. Get trained and make sure your staff are prepared for GDPR compliance.

Those clothes only needed a quick rinse in the wash though, to be honest. Good grief…

Tags: , ,