Written by Charlotte - 14 Nov 2017
Last Wednesday morning, we hosted our first Breakfast Briefing event. We wanted to do a walk-through of CiviHR so that attendees would have a clear overview of how the system works, with the opportunity to ask questions and fully understand what the system could do.
We also thought it would be helpful to situate CiviHR within a broader HR context to identify ways in which the system could support and improve different workflows. As GDPR is currently one of the biggest challenges for HR, we invited Emma Butler, formerly of the ICO and now data protection lead at Yoti, to talk about the new legislation, how it will impact HR data and what we must do to get ready. Using a secure system like CiviHR allows you to keep track of all your HR data and regulate access; important factors in helping your organisation to prepare and ensure you remain compliant.
GDPR and HR Data
Emma shared the following tips to help your organisation prepare for GDPR before its implementation on the 25th May 2018:
- Create a solid project plan and stick to it. It’s unlikely all organisations will be 100% compliant by May. But a plan which identifies the priority areas and potential risk shows that you have thought it through even if it takes you past May 2018.
- Make data entry a key part of the plan. Understand what data you have. Deconstruct each workflow to identify what you do with the data and create an inventory to show what is it used for, how long is it used, who processes the data, etc.
- Set up access controls. Data should be accessible at different levels, with certain information only available for a select group of employees. Limit access where possible.
- Establish retention periods. Stick to the principle of only keeping things as long as is necessary. Use a system where you can flag items for review and keep track of all data.
- Be Transparent. Get better at explaining to people what information you have and what you are doing with it. You need to communicate what you are collecting and why. Consider using a self-service portal to help with this - employees can log onto the portal, view and edit their information to ensure data is kept up to date.
- Examine the lawful basis for processing. There must be a legitimate reason for processing data, and under GDPR it is often the case that consent on its own is not sufficient. Alternatively, you should consider requirements set out in other areas, such as employment law. For example, bank details and address information need to be collected to send to HMRC.
We want to say a big thank you to Emma and all those who attended the event. It was great to meet everyone and to see so much enthusiasm in the room. We’ve had excellent feedback about the briefing, and want to do more. We’re currently planning which topics to cover in the future - if you have a suggestion, then please let us know!