We all know that GDPR is coming. Soon. But did you know that it affects your employee’s personal data, as well as your customers’?
Many companies are focusing their GDPR programmes on consumer data, but from May next year, your staff will have the same rights too. So all those bits of personal data you collect about your workforce – stored across different systems and spreadsheets – could be called for at any point. Would you be able to respond?! When you think how much personal data you generate yourself through your career, it might set off some alarm bells. But where do companies need to begin? The first question to ask is “what constitutes employee personal data”? You need to know what you’re looking for. Aside from the obvious – name, address, date of birth, marital status, tax bracket etc – you’ll likely hold their salary history, dietary needs, visa status, driving licence info and much more. Think about it from an ‘employee lifecycle’ perspective. Prior to interview, they would have submitted something in advance – a CV, an application form, a letter, a test perhaps. This would have contained personal data. And when they visited, did you capture any ID? All of this could be requested under GDPR. As staff move through their career, you’ll collect a lot more personal data. Training courses, secondments, international travel, expense claims, parental leave, performance reviews – everything will be recorded somewhere. Under the new regulations, you could be asked to show how and where you’re storing that data. That’s when a lot of companies get concerned. Because personal data is most likely laying across a whole raft of locations – some digital, some physical. Those systems probably aren’t linked either, so you could have multiple versions of the same data. Not to mention all the duplicates, emails attachments and printouts people are holding on to. This makes it really challenging to get a compliant company-wide view of all the personal data you hold. Even if we imagine that all those issues have been addressed (everything is in place to satisfy the regulators that you can locate personal data if needed), things don’t end there! GDPR raises a whole series of questions around the security of personal data. How are you keeping it protected over time? How do you ensure the right people have access to it? How do you prevent potential misuse of that data? There’s a wider compliance issue to consider too. Because GDPR is an EU regulation, you need to understand the effect of sharing employee data with other territories. There are many considerations. At ADP, we recognised early on that GDPR was going to have a broader impact than just consumer data. That’s why, in 2016, we applied for three sets of Binding Corporate Rules to govern how we manage the personal data of our, our business contacts and our staff. These are recognised as the best path for compliance with GDPR. One of the tools our find particularly helpful when preparing for GDPR is this employee lifecycle
map. It helps you to map out where your employee data is currently stored, and to consider the different scenarios you might be facing come May next year. While GDPR is not far away now, there’s still time to get your internal data practices ready. Do take a look at the map and get in touch if you’d like to discuss how ADP can help further with your compliance programme.