- What kind of data do they collect?
- Where do they hold the data?
- How do they use it?
- How long do they keep it for?
- Who has access to the data? Can any external organisations access it?
- What procedures, systems and controls are in place to secure the data?
If you’ve been putting off getting ready for the General Data Protection Regulations (GDPR), you won’t be able to for much longer. The EU’s new data protection laws come into force on 25th May 2018, and we can’t stress enough how important they are. You need to make sure you use and store data properly—not just your customers’ but also that of your employees and job candidates. If you don’t, you could face a fine of up to 4% of your annual turnover or €20 million (about £17 million), whichever is higher. The easiest way to make sure the way you gather and use HR data is in line with GDPR is to do a data audit. This will help you understand what your current data procedures are, and whether you need to change them. Start with a plan Before you begin, decide who’ll do the HR audit and how. The best people would be your HR, IT and legal staff. If you don’t employ anyone in these roles, you may need to do it yourself. You could also appoint a Data Protection Officer, or get an external company to do it. The latter might be the better option since they may have more specialised expertise. Make a list of the departments you need to speak to as part of the audit. These include payroll, recruitment and IT (once again, assuming they exist). What you need to gather The HR audit will determine what type of data you collect on your employees and how you use it. Remember that GDPR applies not only to the data you have on your current employees, but also to any information you gathered about unsuccessful job applicants and ex-employees. If your data came from other organisations, such as references from previous employers, you need to include this in your audit as well. How to gather data on your data Come up with a questionnaire or form that asks each department: