Well, obviously, I couldn’t let the opportunity go by without a few words on this topic.
We are bombarded by emails reminding us of the impending enforcement of the General Data Protection Regulations on Friday 25 May.
I wanted to offer some thoughts based on my personal experience.
EvolutionHR held a seminar on GDPR back in September. Here we heard from Graeme Fearon, a lawyer with an expertise in data protection, amongst other things. He very ably and clearly talked us through the upcoming requirements, with a special focus on what HR professionals needed to be doing within their organisations.
This somewhat set my mind at rest. Albeit, at that point, Graeme made it clear that the ICO (Information Commissioner’s Office) (who have the task of ‘upholding information rights in the public interest’ according to their website and are the ones providing guidelines on the GDPR and the source of support and advice in how to do so) were still and, indeed, are still working on some aspects of these guidelines and how best they can be put into place in practice. E.g. how do you prove you’ve destroyed someone’s personal data at their request? How do you prove a negative?
From an HR perspective, if nothing else, this provides you with a really good reason to focus on decluttering your offices and ensuring there are no secret stashes of appraisal forms, application forms, interview notes, and other HR related documents lurking in cupboards and pedestals. Ring any bells?
Also, I imagine that, like me, you’ve almost been overloaded by emails, articles, and webinars on various aspects of GDPR. All of which have nuggets of helpful information.
I’ve also been approached by a series of ‘experts’ who offer (for a large fee) to ‘get your organisation through GDPR smoothly’. Common sense tells me that many of these so-called experts are simply getting on a lucrative band wagon, but then there may well be genuine experts out there too – how do you decide?
So what pieces of advice have I taken on board and am working with?
The worst response to upcoming GDPR is to do nothing.
Read what you can and at least track what information you hold and where it is held.
Determine why you hold it – is there a lawful basis? These are listed on the ICO website and really help you to focus.
Write down what personal data you tend to have – both employees and clients/contacts, how you obtain it, where it is stored, why you have it and when you delete/destroy it.
Ensure that both employees and clients/contacts are made aware of the above.
Invest in a good shredder – do not keep what you do not have to keep.
Ensure that all our contacts have specifically agreed once more to receive our newsletter and seminar invitations. We hope you will! Click here to keep in touch.