Incentive&Motivation Magazine Winter 2017 | Page 10

Helen Farr
Partner at Fox Williams
www.foxwilliams.com
WHAT SHOULD HR
TEAMS DO TO GET
READY FOR THE GPDR?
From 25 May 2018 the regulatory regime governing businesses’ use of data will
change substantially when the General Data Protection Regulation (“GDPR”)
comes into force. This will have a big impact on HR departments.
While the GDPR builds on many of the principles of the
Data Protection Act 1998 (“DPA”), there are new elements,
as well as some practices which will need to be done
differently. Penalties for non-compliance with the GDPR
will also be much higher with fines set at the greater of 20
million euros or 4% of global turnover, so it is important to
get it right.
The impact of this cocktail of change will be a lot of work
for HR departments. As a minimum, we expect HR teams
to be responsible for undertaking the following:
• A data inventory and mapping exercise to understand
what data they have, how it is used and which third
parties are involved in processing;
• A gap analysis to work out what compliance steps are
needed;
• A review of privacy policies, data protection policies and
incident response plans;
• Drafting revised staff data protection policies and
communications monitoring policies;
• A review of recruitment and selection process and the
use of data in these processes;
• A review of contracts of employment and policies and
how the business uses employee data;
• A data privacy impact assessment;
• Training staff on data protection;
• If the business has global offices and personal data is
commonly sent internationally these processes will need
to be reviewed.
10 | www.incentiveandmotivation.com
So, how do you approach this?
The first step is to get support from colleagues in legal,
compliance, marketing and commercial teams as the
issues do not solely impact on employee data.
The second step is to carry out an audit in order to
understand what employment data your business has,
how it is used, where it is held and whether any third
parties are involved in processing the data.
Once these initial tasks have been performed, HR should:
1. Review policies and procedures currently in place and
consider how they need to be amended going forward,
including data protection policies, communication
mentoring, recruitment and selection;
2. Amend data protection clauses in employment
contracts;
3. Provide training on data protection to work force;
4. Consider how to transfer data outside the EEA;
5. Consider how to manage data subject access requests
under the new regime.
The biggest challenge is making sure organisations do not
leave it too late to get ready for the new regime. The key
message is take action now, consider how the GDPR will
impact your organisation and take advice from your legal
and compliance advisers if needed.