Regulations and manuals cannot ensure compliance with GDPR if not used properly
More than three months have passed since General Data Protection Regulation (GDPR) has entered into force. We assume that those of you running a business have already reviewed your operations and internal procedures and they are now fully compliant with complex requirements of GDPR. You have probably made clear the amount in which the regulations apply to the organization. Perhaps you have mapped out the current situation, carried out audits and written up manuals and stored them into folders.
If the above us true, which is already a very good result and you treat GDPR with augmented attention it surely deserves. That being said, we would like to stress that compliance with GDPR is not merely a formality. Protecting personal data has to be a constant part of the organization’s everyday operations.
Manuals are pointless if nobody knows how to use them!
Personal data protection processes and manuals are useless if they are not put to use. It means that they should be introduced to employees, who come in contact with personal data daily. By “introduced”, we do not mean just getting the employees to sign the manual, but actually training your employees. The outcome of the training should be that the employees know how to use the manuals to protect personal data in their everyday work. Also, they should know how to recognize situations when personal data might leak and what to do in case this happens. You should inform your employees about how the organization protects their employees’ data. It may include information about the employer’s access to employees’ computers or files etc. The management can carry out the training themselves or ask help from a specialist.
Attention, HR managers!
GDPR also applies to personal data of the employees. Obviously it adds some burden on a HR manager Employees should always be able to turn to their HR manager and ask what personal data the employer gathers about them and why. I.e. if the employee does not like their picture on the company’s website, they can ask to have it removed. Same goes for notes about being on maternity leave. The employee can reference the GDPR whilst making those requests. According to the regulation, the HR manager must always be prepared to give employees information regarding the topic. It is also important to know whether and which information can be given out to employees and in what way, to make sure it stays secure.
The mere existence of regulations and manuals does not ensure the protection of personal data. Therefore, as there is no limit to ways of how data can leak, they must be made known to employees in as clear and understandable way as possible.
Be sure to contact us when you have any additional questions.