What does privacy mean to us? With so many data breaches we try to do anything & everything to keep our data safe & that in simpler words is what GDPR helps us achieve. GDPR stands for General Data Protection Regulation, developed in the EU & now followed worldwide, this gives citizens more control over their personal data. The aim is to simplify the regulatory environment for businesses so that they can fully benefit from the digital space. It is without a doubt that we can say that our lives revolve around data. From social media companies to banks, retailers, & governments – almost every service we use involves the collection & analysis of our personal data. Now let’s understand which companies fall into the category of needing a GDPR & how can they establish it in their firm.
Which companies does the GDPR affect?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
According to an article in LexCounsel, since GDPR has extra-territorial application & applies to the processing of personal data of EU residents even by entities situated outside EU, Indian entities who are acting as either a ‘controller’ (i.e. the person who determines the purposes & means of the processing of data) or a ‘processor’ (i.e. the person who processes the personal data on behalf of the controller), of personal data of persons of EU, in relation to the offering of goods or services to such persons or monitoring their behaviour in so far as it takes place within EU, become subject to GDPR.
Specific criteria for companies required to comply are:
- A presence in an EU country.
- No presence in the EU, but it processes the personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data processing impacts the rights & freedoms of data, is not occasional or includes certain types of sensitive personal data.
What an HR needs to do to comply with GDPR
The GDPR introduces a considerable number of new information & regulations, so HR departments will need to dedicate time & resources to cover each new compliance area. Some of the most important tasks HR must address are:
Privacy Policies
Not only does an HR need to uphold new rights for employees, but they must also formalize & clearly spell out these rights for employees under the GDPR’s strengthened transparency & accountability requirements. HR will have to review & update its privacy policies to communicate these rights.
Processes
As a result of the GDPR, HR will need to review & update many of their current processes. For example, HR must only gather data that is relevant. This means HR will need to rethink any process that involves requesting personal data such as employee onboarding & transfers.
Security
With the stakes high for noncompliance, security must be managed. One step HR should take is to make sure the right employees have the right level of access when it comes to viewing employee data. Only those roles who truly need employee data should be able to access it.
Employee file management
The GDPR will result in new employee files that HR must have employees sign or acknowledge. On top of new documents, the GDPR places greater importance on timely document deletion since a company can be fined for holding onto data it doesn’t need. HR will need to review its current retention policies along with its process for managing document expiration dates.
Lastly, GDPR brings in various benefits that will impress your current employees & new hires as they know that the data that they provide is safe in the hands of the company. As a company, it also would help you stand out in a crowd as it would show to your customers & investors that you value them & are tech-savvy.