Policies and Training

GDPR Compliance and Why it Matters to HR

It’s critical to outline an all-encompassing security policy that can be used as a reference for all employees, especially ahead of new legislation – and with 25 percent of information breaches caused by employee error, it’s evident that the need to increase employee awareness around data security is critical. An information security handbook should not only outline best practices on a broad scale, but serve as a platform to alert employees of any existing regulations that could impact their work. Additionally, this handbook should be updated regularly to reflect any new legislation that could affect the business, such as GDPR.

Board with GDPR Inscription

#Urban-Photographer / iStock / Getty Images Plus / Getty Images

As it relates to GDPR, this literature should articulate that employees who obtain information from EU residents must keep a record of the category of data collected/received, and document how long the data has been stored before being securely destroyed. With that, this guideline should detail the safest information storage and destruction methods for this data, in both physical and digital formats.

The role of HR is essential to ensure that security guidelines resonate with employees and must be carried out accordingly. HR professionals should be able to communicate exactly how all personnel will be impacted by GDPR regulations and any subsequent changes to their individual roles and responsibilities. The security handbook is a critical resource for staff to leverage for continued reference and support.

Offer ongoing training opportunities – and lead by example

While having a defined strategy in place is the first step toward ensuring that employees have the knowledge required to conduct day-to-day functions safely, training opportunities are also essential to drive those messages home. Within regulation changes and policy alterations, it’s important that employees feel they have the resources to answer questions that will likely arise. Offering opportunities for staff to receive in-person guidance and a safe space to ask the questions that might not necessarily be answered in the aforementioned handbook is key to mitigating risk of a breach at every level of the business.

HR is important here as they are responsible for establishing an environment in which employees feel safe and able to ask questions and seek guidance. In offering these opportunities to meet with expert HR professionals and senior leadership, employees can be assured that they have resources they can leverage for help.

Organizations with more than 250 employees must appoint a data protection officer (DPO) who is equipped with the knowledge of data protection laws and procedures. However, firms of any size that handle personal data should appoint someone to lead information security. As HR professionals handle sensitive and confidential information about the company and its employees daily, they are ideal candidates to head a company’s information security initiative. HR departments should utilize their firsthand experience as daily data protectors to demonstrate how personal information should be managed and maintained. Furthermore, HR should consult with legal counsel as well as data protection and information security specialists along the way to ensure that any existing data protection gaps are closed.

Don’t forget about physical data

The GDPR requires appropriate measures to protect personal data in the workplace, and all IT systems will need to be updated to include functionality to protect privacy of individuals. Beyond IT protection, these same measures should be taken to protect physical data too. Identifying any points in the office space that could potentially pose a threat to physical data security is the first step toward creating an environment that is less susceptible to a breach.

The most vulnerable physical information often lies in unassuming places – think printers, messy desks, old storage bins and employee paper recycling bins that are scattered and unattended throughout the office. These risk points are vulnerable to both insider and outsider theft because they could contain documents that share sensitive client and company information. What’s more, if left unattended and unaccounted for, the retention of these documents could go against GDPR regulations relating to how long documents should be kept.

To prevent breaches or non-compliance, HR pros should work with staff to identify a document management process and time frame that details how to securely organize physical documents for storage, retrieval and record-keeping. Key areas to include within the document management process:

  • Determine a lifespan for physical documents – GDPR mandates that personal information cannot be held for any longer than necessary, and only for the purpose it was originally collected. Businesses must keep tabs on what/how sensitive materials are being stored within the office in order to maintain compliance.
  • For documents that need to be filed, make sure they’re being kept in secure, locked filing cabinets.
  • Think twice before tossing – for any documents that need to be discarded, ensure they are securely shredded before throwing them in the trash or recycling bin.

Ultimately, the widespread damage resulting from a breach or non-compliant behavior can make or break a business. Beyond the associated costs – organizations that do not maintain GDPR compliance can face fines up to 4 percent of their global turnover – businesses that do not adhere will inevitably compromise their reputation, current and prospective clients, employees, revenue and even face legal consequences. Developing an environment that prioritizes data security is key to mitigating risk and ensuring that employees are equipped with the knowledge your business depends on to maintain compliance, especially amid times of change.

Ann Nickolas Ann Nickolas, Vice-President of Shred-it, oversees new business development and account management for customers in the commercial, healthcare, and government verticals. In her role, Ann helps businesses secure their confidential information with products and services, policies and training, that help protect them from the risks, fines, penalties, and loss of revenue that come with an information breach.
With a history of senior leadership roles in respected global companies like Compass, Cintas and Coca-Cola, Ann is uniquely positioned to understand the specific information security and privacy challenges facing the hospitality industry.