If you exchange in client data of any kind you may already be aware of the impending General Data Protection Regulation (GDPR) that comes into effect later this year.
If not, this blog will explain a little about what to expect of this change in data regulation and how important having an ERP solution is in helping your business become fully compliant before the May 25th deadline.
The new regulation is a chance for you and your business to put into place steps to ensure clients and customer data is protected and that they have given full consent to being contacted by you in future communications.
GDPR is the biggest ever shake-up in how we collect and store the personal details of others in over 20 years.
Managing data security
The upcoming GDPR is not just an IT or software issue; it’s a wider legal responsibility that will affect everyone who collects and uses the personal data of others. GDPR may be the first time that businesses have had to think and evaluate the way in which their data is processed, and the truth is, there is no single piece of software that can manage this kind of compliance fully on its own. However, an ERP solution is ideal for tackling the upcoming GDPR, integrating your business systems and processes and encouraging a full circle of data sharing and availability.
Details of where data has come from, how long it will be held for and how it has been or will be shared, are just some of the questions you must answer, and evidence should you be challenged. Relying on multiple systems to cross-check this type of information raises the risk of data breaches.
”The right to be forgotten”
A pivotal aspect of the new GDPR regulation is consent. Does the recipient of your communications consent to being contacted by your organisation? After May 25th, if you do not obtain explicit consent, you will be breaking the law. The right to be forgotten comes into play when individuals contact an organisation and request personal data associated with their account to be deleted entirely. Tick boxes to agree or disagree will no longer be allowed. Instead, communications must stipulate in full English how someone’s data will be used. Furthermore, the business must be able to demonstrate, when challenged, how and when a contact gave full consent.
ERP systems work by providing a central point for customer data. Contact records, history, email correspondence and additional notes provide the audit trail required to evidence consent for compliance.
An opportunity, not a hinderance
Panic is sure to have ensued when GDPR was first announced, with many wondering how they will tackle their data before the deadline. However, when the dust settled, many realised the great opportunity the regulation provides in re-evaluating their business strategies.
As your payroll team deals with processing lots of personal data, payroll will be one of the areas of your business that will likely require its existing processes to be revised significantly for the GDPR.
When it comes to GDPR and payroll, here are 10 things your payroll team needs to do now to prepare for the new legislation.
Consolidate your personnel and payroll data
If you currently have your personnel and/or payroll data in lots of different locations, say perhaps across a number of different Excel spreadsheets, then you need to pull everything together into as few locations as possible. Ideally, having this data in one place will help your payroll team to oversee it properly.
Adopt relevant rules and standards
By adopting relevant rules and standards such as ISO27001 – which is a specification for an information security management system – you can make the implementation of GDPR smoother for your business, while also meeting some of the legislation’s security requirements.
For GDPR and payroll, consider all sorts of data
It’s a challenging proposition when it comes to people management, but to be GDPR compliant, you need to consider lots of different types of data. For example, how will you securely handle and store timesheets? And what about emails or text messages from employees who are asking for holiday leave?
There’s also the question of how you will securely store sick notes – and likely other data you need to consider. Determine what data you have and start to create new processes for how you will securely handle and store it.
Give payslips to your employees in a secure way
Do you leave printed payslips on the desks of your employees? When the GDPR comes into force, you will have to make sure they are given to employees in a secure way.
One solution that businesses are turning to is the use of online payslips, where employees can securely access them – they need to put a password in, for example, before they can see them. If your business is still using printed payslips, it might be worth considering following the online lead.
Create a GDPR readiness plan
There’s not long to go now until GDPR comes into force – but there’s still enough time to get prepared. The date that the new legislation begins isn’t going to change and your system needs to be compliant. To make that happen, create a GDPR readiness plan so you can determine where data is stored and what new processes are required to be compliant.
If for any reason you can’t be complaint by 25th of May 2018, you need to make sure you have a documented plan in place so you can demonstrate that you have been working towards compliance. You will be at a serious risk if that isn’t in place and you’re not working to turn the plan into reality.
Get a GDPR audit done
To make sure your processes and systems are GDPR compliant, an audit by a suitably qualified individual is a highly recommended step. Remember, there’s the prospect of fines of up to 4% annual global turnover or 20 million euros, whichever is greater, if your business is found not to be compliant – and doesn’t have a demonstrable plan in place that you’re working towards.
Employ or assign a data protection officer if necessary
According to the GDPR, you need to make sure that data protection is a key part of your firm’s process of designing and operating policies, processes, products and services.
Certain types of businesses will need to appoint a data protection office (DPO) – who could be someone contracted from outside your firm or an existing employee. Those business examples include public authorities , firms that regularly monitor individuals on a large scale, and companies whose core activities involve the processing of special categories of personal data on a large scale.
The DPO will help you to monitor internal compliance, while also informing your business on its data protection obligations, and they will advise where and when necessary.
Give employees full visibility of data you hold about them
Your employees need to know what personal data of theirs your payroll team and business holds. Meanwhile, you will have to respond to subject access requests (SARs) and requests for their personal data to be either rectified or erased.
You do not have the right to refuse excessive or unfounded personal data requests, however you will need to demonstrate how they are unfounded in your compliance documentation.
Create GDPR-compliant privacy notices for your employees
You need to let your employees know what information they are entitled to as per the GDPR’s requirement for transparency and this must be done in a way that’s clear. Remember, you can’t use your employees’ data for a different purpose without notifying them. And you might need to offer simple functionality that allows your employees to opt out of the different ways you use their data.
Take the GDPR as a chance to push forward as a fully customer-centric business that champions transparency and demonstrates the value of customer privacy.
An effective ERP solution will be the first step in providing a single view of truth when it comes to your customer data and how you use it.
If you’d like to know more about how an ERP system can help you become fully compliant before the GDPR comes into effect this May, then contact us on 0191 500 8150 to speak to a Business Software Consultant.
Comments are closed.