3 min read | 11 January, 2018 By Melissa Jones
The way we manage data has changed beyond all recognition in the last few years with many businesses switching to computers, online and cloud-based services. However, the laws governing how that data is managed hasn’t kept up with the technological changes. And that will all change when the General Data Protection Regulation (GDPR) comes into play on 25th May 2018.
The introduction of GDPR will mean that employers will need to be much more mindful of how they collect, store and manage the data of their employees. Here are three proactive tips for employers on what they can do to ensure they are GDPR compliant.
Under GDPR you must appoint a data protection officer (DPO) if:
Whether you are obliged to or not, it is encouraged to appoint a data protection officer so that you have someone dedicated to managing your data processes. As a small business this probably doesn’t require a full time position. It can be an existing employee, provided their DPO role doesn’t conflict with existing duties or you can appoint someone into a standalone role depending on the size of your organisation.
If you do appoint someone, however, even if you don’t need to, you will then be obliged to comply with the legal requirements of GDPR. If you decide to appoint an officer, they must:
It’s good practice to review regularly what information you hold on your employees and what data you work with in general.
It is important to keep track of how your data is collected and used – do you have a paper-based system organised in a filing cabinet for your employee personnel files? Are you using manual employee electronic records such as word documents or spreadsheets or have you moved to an HR software which often allow employee self-service? Do you store this data on a local internal system or do you rely on cloud-based services?
Make sure the data you collect is relevant to your business. For example, storing records about employees’ work history is a legitimate use of data but storing information about what they like to eat and their favourite colour could be classed as unnecessary unless you can prove it is relevant to your business.
Also, make sure you know what processes are being used, how the data is handled, that it is handled securely and review your policies regularly.