In case you hadn’t already noticed, there are just a few months to go before The General Data Protection Regulations (GDPR) come into force on 25 May 2018. Organisations are urgently trying to get their houses in order regarding the way they collect and process data about their employees and even candidates for jobs.
So why the panic?’ you may think. GDPR after all is really only an extension to existing Data Protection rules, strengthening the rights of the individual to know what information is held about them.
What has really got people’s attention is the much-quoted penalties for flouting the rules: a maximum fine of 4 per cent of global annual turnover or €20m, whichever is the greater. Although the UK Information Commissioner has indicated that such fines will not be handed out for smaller transgressions, no-one wants to take the career limiting step of exposing their organisation to embarrassment.
As far as Human Resources (HR) departments are concerned, the key issues shown in the Information Commissioner’s Office (ICO) guidelines are that personal information held by organisations must be accurate and up to date. It must be adequate, relevant and not excessive, held securely and not kept for longer than is necessary.
Consent – Organisations must make it clear to employees what will happen to their data and where it will be shared.
Right to be forgotten – Data access requests known as subject access requests (SARs) must be responded to in a shorter timeframe.
Data requests – If individuals are not happy with you storing their data, they have a right to be forgotten. You must have a procedure in place to implement the deletion of personal data.
The GDPR regulation has brought the whole topic of business records management to the fore. Personal data relates not only to the contents of personnel records, but will also include IP addresses and financial information which may be found in documents such as client files. In future, employees’ demands to see what information is held about them; SARs must now be promptly serviced.
A simple auditing of file access and who has viewed, printed or amended files does not go far enough; one of the requirements of GDPR is to have control over the length of time documents containing personal data are kept.
However, help is at hand in the form of online tools to help stay ahead of the game: Cloud-based products such as ‘HR online’ from Cloud B2B Solutions are online document management systems that allow organisations to manage employee and candidate records efficiently, and to implement the correct processes to comply with the new regulations.
These products put business processes into the cloud, and facilitate a robust document retention policy – an essential part of an efficient and compliant records management system. They can allocate dates for documents to be destroyed or reviewed, and users can be alerted automatically at the relevant time.
As the GDPR relates to both paper and electronic records, and managing paper records is much more difficult than managing electronic records, converting paper records to electronic format is the first step to take if GDPR compliance is to be achieved efficiently; fortunately this can easily be done in a document scanning bureau.