As part of complying with the General Data Protection Regulation businesses of all sizes will need to conduct an audit of the personal data they hold and process about employees. This will help you identify what data you actually have, identify any areas where your processes and practices might need tightening up. An audit is also in itself a key part of compliance as the GDPR comes with new accountability and record-keeping requirements.
Many small businesses won’t have conducted this kind of audit before, so we’ve identified five key steps you need to take:
1. Establish the scope
The first step in conducting an audit is identifying the scope, to ensure nothing is missed and to avoid duplication. The audit should include personal data on employees, workers, job applicants and any other individuals within the HR area of responsibility, such as contractors, volunteers, interns, apprentices and former employees.
The audit should cover data kept on your own systems and also on third-party systems if you outsource any aspect of data processing/record keeping.
2. Identify what information to capture in your audit
When conducting your audit of HR-related personal data you will need to capture the following:
- Why you are processing the data
- What legal ground(s) you have for processing the data
- Whether or not the data falls into one of the “special categories of personal data” (broadly the same categories as sensitive personal data under the Data Protection Act 1998)
- Whether or not the personal data relates to criminal convictions and offences
- Categories of data subjects
- Source of the data
- Date of collection and retention period
- Information provided to job applicants or employees regarding their data (e.g. privacy notices)
- Whether or not the data is used for automated decision-making
- Whether or not relevant systems allow for compliance with subject access rights (including portability rights), rights to request correction, erasure and restriction, and rights to object to data processing
- Details of who has access to the data
- Whether or not the data is transferred to any third party
- Whether or not the data is processed jointly with another data controller
If your current practices are compliant with the GDPR, the audit will capture and demonstrate this. Where they are not, it will help you develop an action plan to ensure you are compliant in time for the May 2018 deadline.
3. Identify how you will collect the information you need
There are a number of different methods of collecting the information required for a data audit, and how you do this will depend on the IT systems you use, and how extensive or complicated the data processing activities are.
You may need to issue questionnaires or conduct interviews with relevant employees or external third parties involved in data processing, and will need a suitable format for recording findings, including gaps in compliance, recommendations and actions taken.
A simple spreadsheet or table is likely to be sufficient for most small organisations with only limited amounts of personal data, but depending on the nature of your organisation’s activities, you may need something else, including external tools or consultancy assistance.
4. Create a data register
Organisations are required by the GDPR to keep a “record of processing activities”, also known as a data register. This must then be made available to the Information Commissioner on request, and must include information about all personal data processed by the organisation, including:
- the name and contact details of the organisation, of any joint controller, and of the data protection officer (if applicable);
- the purposes of the processing;
- the categories of data subjects;
- the categories of personal data;
- the categories of recipients to whom the data has been or will be disclosed;
- where applicable, transfers of data to countries outside the EEA or to any international organisation (which in both cases must be named) and, in some cases, details of safeguards in place;
- the envisaged retention periods for the different categories of data;
- where possible, a general description of the technical and organisational security mechanisms applied to the data.
The Data Protection Bill also requires that if an employer processes “special categories of data” (what was previously known as “sensitive personal data”) or data relating to criminal offences, its data register must include information on the basis for processing it and how the requirements of the GDPR are satisfied in respect of that type of data.
Your data register obviously isn’t limited to employee-related data, but conducting a thorough HR data audit will help you develop your data register. Once you have your HR data register you need to combine it with registers of any other data the organisation processes to create an overall data register.
5. Maintaining the data audit and data register
You will need to be able to produce your data register at any point, so it’s essential not to view this as a one-off activity, but to ensure it is kept up to date. Identify who will be responsible for maintaining the register and which employees will be responsible for providing details of changes to that person.
Any policies and procedures you have in relation to data protection and GDPR compliance should reflect the importance of keeping these records up to date and identify how this will happen, setting out the responsibilities of the various roles.
If you would like more advice on auditing to comply with the GDPR do get in touch.