The first step in any GDPR action plan should involve an audit of personal data collected and held by an organisation, to map out how personal data flows through their organisation and systems.
Given the significant volume of personal data held by an HR department, collecting and analysing this data is a time consuming task. There are many forms this could take. Helpfully however, the Information Commissioner’s Office (ICO) has now published a template spreadsheet that organisations can use as a starting point in their audit process. Click here to access.
What has changed?
While there have always been record keeping requirements under the Data Protection Act, A.30 of the GDPR contains an enhanced obligation to document processing activities. Additionally, most outputs under any GDPR project will need as their foundation some solid information about the data processing that is undertaken by the department. No use building without foundations!
We therefore recommend that the audit undertaken is done in such a way as to provide a platform on which to build a GDPR action plan.
In HR, the audit will need to encompass the personal data of past, present and prospective members of the workforce and any other individuals who are within the remit of HR’s responsibility; this will certainly include employees and job applicants, but is likely to extend to a wider category of individual such as interns, volunteers and self-employed contractors. The audit should encompass personal data that may still be retained in relation to past members of the workforce as this will still be covered by the GDPR regardless of when it was collected.
The audit could be done as a discrete exercise by HR or as part of a wider programme covering:
- not only workforce personal data, but also that of other data subjects such as customers and suppliers; and
- other departments within a business who will also process data e.g. finance, legal and IT.
The audit will serve as a record of the processing activities undertaken by the organisation; this record (which must include certain prescribed details listed below and will need to be kept up to date) must be made available to the ICO upon request. In the UK the record keeping requirement generally applies to organisations employing 250 or more employees, although smaller organisations could also be caught, for example, where the processing they carry out is more than occasional or includes sensitive personal data (known as special categories of data under the GDPR).
Organisations in scope must document the following information:
- The name and contact details of the organisation (and where applicable, of other controllers, and the data protection officer).
- The purposes of processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of transfers to third countries including documenting the transfer mechanism safeguards in place.
- Retention schedules.
- A description of the technical and organisational security measures.
Another factor to consider as part of the audit process are the appropriate retention periods for data, and a plan for secure deletion/destruction of old (beyond justified retention) data.
Under the Data Protection Bill currently proceeding through Parliament, an employer is required to maintain an appropriate policy document explaining how an employer processes special category personal data, which also refers to retention periods and erasure of data. The policy has to be available to the Information Commissioner.
What should your audit cover?
The ICO templates suggests that the audit spreadsheet should consider the following main areas with various sub categories of information.
- Article 30 Record of Processing Activities
- Privacy Notices
- Access Requests
- Data Protection Impact Assessments
- Personal Data Breaches
- Data Protection Bill – Special Category or Criminal Conviction and Offence Data