#CleanOutYourComputerDay - GDPR Compliance
Tomorrow is #CleanOutYourComputerDay and this is something all companies should schedule into their operational and business planning.
Prior to May 2018, most businesses focused on preparing for GDPR (General Data Protection Regulations) - undertaking Data Protection Impact Assessment, determining the basis upon which they would process data, creating process flows to deal with right to erasure requests and subject access requests. Chances are, if you deal with anything other than minimal amounts of data, you carried out some kind of data cleansing exercise.
Personal Data is data from which an individual can be identified. It extends beyond the obvious name and address data to include things like date of birth, NI number, vehicle registration, any email address that includes their name (even an info@ email address would be deemed personal data if only one person had access to it) and IP address.
The Human Resources department was one area that was significantly affected by this legislation and two years ago there was plenty of blood, sweat and tears put into making sure we were ready for 25 May. As well as the above, Employment Contracts had to be changed, detailing the way personal data would be processed and agreeing that customer data would be handled, stored and used in the correct way.
Data relating to health and medical issues was considered sensitive data and in my client organisations where more than one person had access to HR files, documents that contained information relating to medical or health were removed from the main HR files and stored separately.
As the HR Consultant, I conducted Personal Details Audits with client employee's to make sure that all the data held was still correct and I encourage my clients to do this at least annually because there is always one employee who has moved or changed their phone number and forgotten to tell us - the audit makes sure that as HR professionals, we get the yearly opportunity to make sure our records are correct.
It helps to ask the employee during their induction to notify any changes and if you have an Employee Handbook, the obligation to do this should definitely be included. But there will still always be one.....!
Data that is stored electronically is subject to Data Protection legislation and that is why tomorrow is so important. During implementation you probably decided how long you would keep different documents for before archiving or destroying. For example, I always encourage my clients to destroy records of disciplinary warnings once the warning has expired, both paper and electronic. Once the warning has expired you can't refer to it so you shouldn't retain any data in which it is referenced.
When deleting electronic data, be mindful that you also empty your Recycling Bin, otherwise you have only moved the data and not permanently deleted it.
Emails need the same kind of culling regularly and remember it's not just the Inbox and sub folders. You should delete any messages from your Sent folder as well. And again, don't forget to empty the Trash folder so that those emails are gone forever.
If you make written notes during interview and the candidate makes a Subject Access Request (SAR) to see any records from their application, then legally you have to disclose this information. So, if your notes are not just related to the relevant skills and experience for the role, make sure that you destroy them.
Don't forget those separated sensitive personal data files too. The ones you are storing separately to the main HR files that contain Doctor's certificates, hospital letters, self certificates and return to work interview records. The electronic and paper files both need to be sorted out regularly and out of date data destroyed in line with your organisation's schedule.
Bear Human Resources can advise on GDPR and data processing as well as all aspects of HR. If you would like to discuss our we can help support your business please contact us today.