How Employee Communicators Can Prep for GDPR

On May 25, 2018, the EU General Data Protection Regulation (GDPR) goes into effect. Is your employee communications department ready?

GDPR

GDPR is an updated data regulation that aims to give EU citizens and visitors more control and information on how their personal data is handled. But your business is in the States, so they can’t touch you? Wrong.

If you have employees living in the EU, an international recruiting strategy, or staffers whose work takes them to the European Union, this regulation and the multi-million dollar fines associated with non-compliance, apply to you.

Who has to do GDPR?

If you felt a little blood pressure spike, you are not alone. A 2017 Osterman Research paper found that 73% of businesses are not ready to satisfy the compliance obligations of the GDPR.

Who Does it Apply to?

GDPR aims to protect data subjects. But does that mean citizens, residents, travelers, or expats living abroad?

Define Data Subjects GDPR

Well, it’s complicated. According to an analysis by Cyber Counsel UK, a Data Subject is anyone within the borders of the EU at the time of processing of their personal data. That means residents, travelers, and expats all can be Data Subjects. However, if an EU citizen is traveling outside the EU, or becomes an expat, they are no longer a Data Subject, unless their data is still processed by an organization “established” in the EU.

Define ‘Data’

You might be wondering what data is covered by GDPR. According to the Information Commissioner’s Office, “The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”

This data could be on computers, in the cloud, or even in a filing cabinet.

Data Defined GDPR

This includes:

  • Name
  • Email
  • Identification number
  • Location data

This reach continues into personal data that has been key-coded or machine scrambled, depending on how hard it is to attach those letters and numbers to a particular individual.

Are you a data controller or a processor?

GDPR assigns different responsibilities to data handlers, Controller and Processor. Commonly, your organization will be the Controller with your data-handling vendors assuming the role of Processor.

Controller or Processor in GDPR

The Role of the Data Protection Officer

It’s a good time to be an organized data nerd. GDPR compliance is creating a new cottage industry of Data Protection Officers or DPOs.

For many businesses, a Data Protection Officer (DPO) is optional but data protection processes are not. No matter your size, the GDPR requires every org that collects data to dedicate sufficient staff and resources to compliance.

Data Protection Officer GDPR

DPOs can be internal employees or contractors. Their job is to help you monitor and demonstrate compliance, inform you about your obligations, prepare Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the EU.

GDPR dictates that your DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.

However, you must appoint a DPO if:

  • you are a public authority;
  • your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
  • your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.

What do we do?

To make sure you are in a good place, it’s time to get key stakeholders thinking about the May 25 deadline. Accuracy, communication, and documentation are key.

Audit Your Information

If you have staff in the EU, this should be an organization-wide push. Let’s start by documenting what personal data you hold, where it came from and who you share it with. Identify any risks and set plans to get them fixed before the deadline.

GDPR Information Audit

If you find you have incorrect data, correct it in your system and let anyone else you are sharing it with know so they can fix it on their end as well. You aren’t just being nice, it’s the law.

Determine Your Why

Look at the data you collect, is it necessary? ‘Nice to have’ data has no place in your department after the GDPR goes into effect.

If you are gathering GDPR-protected Data Subject information, you will need to identify the lawful basis for the data you collect. Before the GDPR goes into effect, you need to choose and document your lawful basis. “Take care to get it right first time,” ICO advises. “You should not swap to a different lawful basis at a later date without good reason.”

According to ICO, at least one of these must apply whenever you process personal data:

Consent
The individual has given clear consent for you to process their personal data for a specific purpose.
Contract
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal Obligation
The processing is necessary for you to comply with the law (not including contractual obligations).
Vital Interests
The processing is necessary to protect someone’s life.
Public Task
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate Interests
The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

The reasoning behind your choice of lawful basis should be well-documented and easy to explain. Your chosen lawful basis can also affect the rights available to the Data Subjects. When dealing with personnel data, many organizations are choosing legitimate interests as their legal basis.

No matter what you choose, if you could get the same results without saving data, you are not in compliance.

Update Onboarding and Privacy Policy Language

GDPR regulations have no patience for legalese-filled privacy policies and onboarding docs.

Privacy Policy for GDPR

In addition to current EU rules that say you must let people know who you are and how you intend to use their information, starting May 25, your employee onboarding documents and Privacy Policy will need to include new information:

  • The exact lawful basis you are using for collecting the data
    • If some of the information you’d like to have is optional and falls under a different legal basis, allow your staffers to consent separately.
  • How long you will be storing the data
  • Information on the Data Subject’s right to complain to the ICO if they think there is a problem with your data handling.

These can’t rust on a shelf. GDPR requires that they are reviewed and updated regularly.

Check Your Procedures

Just because you have a lawful basis for data collection, doesn’t mean you are in the clear. Work with HR to bring data consent into established annual processes. Think HIPAA, but for non-essential personnel data.

Data Procedures for GDPR

Under GDPR, places that Data Subjects can consent to data collection or communications need to be reworked to remove any automatic opt-ins.

A GDPR-approved opt-in is:

  • Specific
  • Informed
  • Unambiguous
  • Clear
  • Prominent
  • Properly documented

Give Them Some Control

For data that doesn’t fall under the legitimate basis umbrella, work with your vendors to develop a privacy dashboard to give your associates the ability to update their information and to control what data is collected.

Privacy Controls GDPR

A user dashboard is a great place to start.

Prepare to Delete

GDPR dictates that you have to make it easy for Data Subjects to withdraw their consent at any time and tell them how it’s done.

Delete Process for GDPR

Once a staffer is no longer with your organization, set processes that ensure that unnecessary or outdated data is deleted at regular intervals. GDPR even allows Data Subjects to request that their data is removed from an organization.

According to NPR, Google has already received over 650,000 requests since 2014. If there is no compelling reason for your organization to keep their information, you have 30 days to complete the process. The same goes for any vendors with whom you share the data.

Check Your Contracts

Organizations governed under GDPR must update their contracts with vendors that handle data to include specific terms about how the data your organization provides will be handled.

Contracts under GDPR

If you don’t have a Data Protection Officer, ICO has created a helpful checklist for you to check your contracts against. Don’t forget to update your contract templates as well!

Communicate

Now that you have a plan in place, let’s widen the circle of knowledge.

Communicate GDPR

Create an informational campaign on your intranet, app, and email system to share relevant, personalized information on what you’ve done to comply. Then create simple to understand and implement procedures for staff who handle data.

Thanks to your planning and organizational skills, your business will be ready to face the data challenges of GDPR head on.

Director of Product, Cerkl

Post a Comment