In May 2018, the EU General Data Protection Regulation (GDPR) went live, bringing with it wide sweeping obligations that cut across all forms of personal information that organisations hold. Now that it’s had a few years to bed in, business leaders might be wondering: does the GDPR affect my employee intranet portal?
Indeed, the primary focus of GDPR compliance was on customer data and marketing functions. Yet the information you hold on your employees and how you interact with them digitally could leave you just as vulnerable as your customer experience data.
What is the GDPR?
In a nutshell, the GDPR is a set of data protection rules that define how people can access information about themselves, as well as what the organisation who holds that information can do with it.
The legal obligations of the GDPR apply to any organisation holding personal information on EU citizens. According to the ICO, organisations classed as “data controllers” – those who have overall control and liability of the personal data they hold – have a responsibility to demonstrate their compliance with the GDPR, whereas “data processors” process that data on the controller’s behalf.
“Personal information” refers to anything that can identify an individual, whether it is gathered for private, professional, or public use.
If your customers, staff, and suppliers are all entirely UK residents, the existing Data Protection Act 1998 remains your framework for compliance, but the vast majority of UK companies hold personal data on people born in an EU country.
Ignoring the GDPR can lead to fines of up to €20m, or 4% of annual global turnover – whichever is higher.
What are the implications of GDPR?
The new legislation is designed to plug the very real issue of data breaches that have left the general public – and companies – vulnerable to a wide range of malaise, including spectacular failures in protecting data. Even major high street names have proved guilty of leaking customer information into the public domain.
It also provides a partial answer to the epidemic of identity thefts, and helps shut some doors to some cybercriminals.
The GDPR is largely centred on imposing stronger and more far-reaching controls on data collection, storage, use, transfer, and disposal. One of the central principles of the GDPR is that personal information will have to be encrypted in future. This includes using pseudonyms in place of names.
The aim is to ensure that any data leaked or misappropriated becomes useless to anyone who doesn’t have the encryption key.
One of the complexities this brings to company intranets is who will hold encryption keys, as well as under what circumstances can data be unlocked back into its usable form. This needs careful planning, not least because, under the GDPR, companies will be required to have tangible and auditable systems governing all of their obligations.
This includes having visible systems in place to allow individuals to access their data on request, and equally tangible systems to dispose of data thoroughly from all parts of your IT systems and procedures.
GDPR, intranet, and internal communications
As already mentioned, internal communications are a focal part of your company’s obligations under the new legislation. In fact, the GDPR makes specific provision for staff having the right to give or withhold consent for their personal information to be stored and used. And, if they refuse, this can’t be viewed detrimentally.
How this works in payroll terms is currently not clear, but it certainly makes setting up and running intranet software more complex. As a company, you will need to have tangible and documented systems to request consent from staff before you can use any personal information – even their name.
You will need to be able to show how you will use the data you hold on them, how long it will be held for, how they can access it, and in what way you will dispose of it.
Solutions and workplace systems for GDPR compliance
For many companies, solutions can be found in reviewing the hardware, software, skills, and responsibilities you already have. You may need to swiftly appoint Data Protection officers, who will oversee compliance and implement any vital changes.
Using your intranet compliance tools can help project manage the changes needed, particularly if multiple sites and remote workers are involved. This will ensure that everyone in your digital workplace is clear of the goals you have set out to meet as a company, along with their obligations and responsibilities.