With the 25th of May creeping closer, everyone is talking about Privacy, the General Data Protection Regulation (GDPR) and how this new legislation is affecting business and, very importantly, what should change in how we manage personal information. Talking to Elizabeth de Stadler, plain language and privacy law expert and Author of “A Guide to the Protection of Personal Information Act” about what our Clients and AIMS Partners should be aware of and what actions we should take to prepare for this new legislation, Elizabeth makes the following very important point; “We firmly believe that good data management is crucial, regardless of whether legislation compels organisations to take it seriously…”
It is important to remember that GDPR will not only have relevance in the countries where this legislation originates. For example: if an Indian company has an office or subsidiary in any EU country, the subsidiaries (and possibly even the whole group of companies) will also have to be compliant. To boot, in the case of a South African branch of a German head quartered business, you will have to be both POPIA (Protection of Personal Information Act) and GDPR compliant. The good news is that if you comply to GDPR, chances are that you will also be compliant to the POPIA and certainly most privacy and information legislation laws globally. Even if your company has no presence in the EU, but you offer goods or services to EU citizens, you most definitely need to comply to GDPR as well. You are also not off the hook if you have a distribution agent or even a postal address in the EU.
Where does one start? Elizabeth says it starts with “Knowing your information: Document what personal data your organization holds, where it came from and who you share it with. In other words, organisations should do a personal data audit”
Most people I speak to focus on client information. However, the most vulnerable is certainly your own employees’ information. Your company has personal information about each and every employee; their bank details, even family and health information; HIV status, doctor’s diagnoses, medical insurance details. The list is legion. Taking control of where you keep this information and who has access to it is a good start. The golden rule is to have as little information as possible. If you do not need it, destroy it. If you do not need to share it, don’t.
When it comes to recruitment processes, the same rules apply. Applicants often over-share in the excitement to land their dream job. Only keep the information that is necessary. Get rid of applicant information of unsuccessful applicants as soon as you can (you may want to keep it for the window period within which unsuccessful applicants can object). If you have a career website, the ideal is for applicants to manage their own information via an applications platform, because then you can safely assume that the information is up to date and accurate. Ensure the information is hosted on the cloud with a reputable hosting company in Europe where privacy laws are strict. Monitor how many people in your business have access to a new employee’s information – from the HR manager doing the initial interview through to the director’s office and the data capture officer who inputs the successful incumbent’s personal data on to your payroll system. How many times did you print this information? What happens to these hard copies…?
This brings us to your own personal information. Elizabeth is a firm believer that, once you train individuals on how to protect their own information, everyone will be more sensitive when it comes to handling other people’s private information. Identification theft is a reality. Ensure that you know your rights when it comes to who you share your information with. For example, when completing info to do a bit of online shopping, those boxes forcing you to “receive our newsletter” or “share your info for marketing purposes” and do not allow you to complete your transaction otherwise – don’t do it! The new legislation focusing on protection of all our personal information will hopefully result in all of us knowing our rights a little bit better and feeling a little more secure in this world of digital data convergence.