An audit is essentially a process of gap analysis where, in this case, employers will be looking for any areas within their data protection systems which do not align to the new obligations.
Planning an audit
There is no one rule fits all scenario for carrying out a GDPR audit and the resources required will depend on the size of the organisation and the types of data processed. In summary, what you are doing is mapping your data flow ie looking at what types of data you process and what you do with that data.
Your plan should involve methods to look at both data held on paper and within electronic systems eg holiday planners or sickness records.
You should be prepared to be able to track the life cycle of the data of your employees from the point they apply for a job to the point of termination. In reality, data is kept for a period of time after termination of employment so your data life-cycle would need to consider this too.
One of your first considerations should be the people who will undertake the audit. Some larger organisations may opt for contracting out the exercise to an external consultancy firm who have expertise in the area, however, some organisations may simply not have the ability to do this. Where this is the case, you will need to pick your team carefully.
A combination of representatives from different departments is likely to be appropriate. Whilst the HR presence may be the most fundamental part of the team and therefore potentially requiring more than one representative, further representatives from IT and the legal department will also be useful.
You should also identify other people within the organisation who you will need to speak to when gathering information to complete the audit eg those in charge of recruitment or payroll, for example.
Areas of interest
Your current privacy notice will set out the types of data that you process with regard to your existing employees so this would be a good place to start to compile a list of the areas you should focus on. You should remember that you will also need to include data processed with regard to job applicants even if they were not successful in obtaining employment.
Typically, the categories of data captured by a GDPR audit in relation to HR are:
- personal information including name, address, phone numbers – for individual and next of kin
- CVs and other information gathered during recruitment
- criminal convictions
- references from former employers
- National Insurance numbers
- tax codes
- job title, job descriptions and pay grades
- conduct issues such as letters of concern, disciplinary proceedings
- holiday records
- internal performance information
- training details
- sickness absence records and occupational health referrals
- medical or health information
- terms and conditions of employment
- equal opportunity monitoring records
- CCTV monitoring.
For each set of data, you should identify:
- whether it is held in live or archive storage
- where it is held (on central HR portals or by line managers)
- whether it is held by a third party.
If you identify that data is kept in a system which is no longer in use, you are permitted to consider this data as ‘deleted’ provided that certain controls are in place including:
- devising a written protocol prohibiting access for business purposes
- committing to secure deletion as soon as this is practicable
- applying suitable security measures and
- implementing access controls so that the data can be accessed only for exceptional purposes (eg to comply with a court order).
- Reviewing current policies
As part of the audit, you should review your current policies in the area of data protection and assess how they might need to be amended in line with new GDPR rules. For example, your current policy – or if you have no written policy, your current practices – on dealing with a subject access request will need to be re-assessed. Time limits for dealing with a request are changing so your documentation/practices will need amending.
Lawful basis for processing
One of your main considerations will be the lawful basis on which you process different categories of data. This may be one of the more complicated areas of an audit because it is less about the factual process and more of an overriding concept. Data may only be processed when there is a lawful basis for doing so. Many organisations have, until now, relied on the basis of consent to process their employees’ data. However, the threshold for obtaining valid consent is changing under GDPR and employers may need to reconsider the basis they will rely on to lawfully process data.
Collecting the information
After identifying the appropriate members of staff with responsibility for processing data, you should arrange to collect information from them in order for you to conduct the audit. You may choose to do this via detailed questionnaires or via face to face interviews. Where a face to face interview is to be held, it is important that each person holding the interview uses a set of questions previously agreed by the audit team so that each interview is carried out in a consistent manner. Sufficient time should be set aside for each interview and you should be prepared for the interviewee not to be able to answer all questions during the interview. This may be the case if they need to make checks before being able to answer fully. However, in order to carry out an effective interview, the audit team should ideally have identified in advance who is the best person to speak to with regard to each area.
f you require further support on this subject, please contact our team of HR Consultants at aspire cambridge today on 01223 855441.