Still getting your head around GDPR? We've pulled together everything you need to know, so HR and People teams have all the essential resources they need.
The General Data Protection Regulation ('GDPR') is due to come into effect on May 25, 2018. The GDPR sets out new responsibilities businesses have in relation to the personal data they collect, hold and process.
Employees generate a large amount of personal data that HR must collect, store and manage. As the employer and data controller it’s your responsibility to determine the purposes of your employee data in line with the GDPR.
The new regulation sets out minimum requirements and does not only apply to organizations located within the EU, but also applies to organizations who process data in relation to EU data subjects.
As the date of the GDPR approaches, it’s time for HR and People teams to look closely at how they manage their employee data processing. Here are some of the key considerations for you, as the employer and data controller, to think about.
Employees can request that their personal data be deleted in certain circumstances. This right requires you to ensure the irretrievable removal of deleted data.
Employees can obtain a copy of their personal data in a structured, commonly used and machine readable format for their own purposes.
Employees can request that there be a restriction placed on the processing of their personal data. You are permitted to store the personal data, but no longer process it.
Should be freely given, and needs to be specific, informed and unambiguous. You need to gain explicit consent from employees for the use of their personal data.
HR and People teams will need to thoroughly review how they manage employee data and requests. We’ve identified six key steps to help prepare your HR and People teams for GDPR before May 25.Download eBook now
We are committed to our customers' success, including GDPR readiness. Learn how our HR and People system can keep data secure while making processes more efficient.
Send tailored communications and privacy notices to keep your employees informed.
Manage consent and data requests easily with automated workflows and processes.
Allow employees to access and update their data via a self-service portal.
Easily identify and export personal data so that employees can take their information with them.
Systematically flag data that needs to be either deleted or anonymized.
Protect data with configurable user access permissions, and built on the Salesforce App cloud the world's most trusted cloud platform.
These FAQs sets out some commonly asked questions asked by Sage Business Cloud People’s clients and our response.
That’s up to you. Obviously, the information you require on your potential, current and former employees. You have access to fully customizable set of information fields that can be customized to ensure you collect only the minimum data necessary for your purposes, but still ensure the data is complete, adequate and accurate for your needs. Providing user self-service portals reduces your administrative overhead by allowing individuals to enter and update their own data.+ View answer
We use the Salesforce platform to host your data. Our partner operates a highly resilient cloud infrastructure that we have built the Sage Business Cloud People system upon. The infrastructure can be configured to be hosted locally within Europe or globally.+ View answer
Where global requirements are in place it is the company’s obligation to notify EU citizens of transfer outside of the EU and ensure adequacy measures are in place. The Salesforce platform operates mechanisms such as Privacy Shield and BCRs to legitimize international transfers and we are proud to hold TRUSTe’s Privacy Seal. Sage legal has introduced a suite of inter-company Global Data Processing and Transfer Agreements, which incorporate the requirements of the GDPR and include the use of the EC Standard Contractual Clauses for transfers of data outside the EEA. These agreements facilitate the secure movement of personal data around the Sage group of companies whilst ensuring that all processing activities comply with the GDPR.+ View answer
We appreciate that you are the Data Controller and we are a Data Processor, and therefore we have undergone a program to make sure that our contracts reflect our obligations to you and reflect all the GDPR requirements that apply to processors. Beyond that we have performed Product Privacy Impact Assessments to identify opportunities where we can introduce functionality that makes your job as the data controller easier, and have designed a product that enables appropriate privacy by design and default.+ View answer
The organization can provide internal communications and access to policies and procedures in order to display privacy policies and fair processing notices to individuals who have their data held.+ View answer
You as the controller, will receive and process all requests, however we can make this easier for you. The product features a self-service interface which ensures that users have access to their own data, and users can access and update their own information as required. In addition, the reporting capabilities can be used to retrieve more comprehensive reports in the event of a formal access request. Data can be managed at a granular level in the event of a rectification or erasure request.+ View answer
That’s up to you. Data from the hub network feeds into an export interface called the Sage People Payflow, a cloud-based system that provides feeds into external systems, such as benefits partners and payroll providers. Access and integration to personal data is controlled entirely by choices made by the business.+ View answer
Personal data may be retained for the duration of the business relationship, and retained or removed as required by law. Granular control of retention and deletion is available, where you wish to create policies to control the retention and deletion of data for each item. Sage Business Cloud People has further information available on how long it retains data including back-up and recovery information, available on request.+ View answer
We operate appropriate security including combinations of physical, organizational and technical controls. The model is for all information is to be hosted by the Salesforce platform in a self-contained access controlled virtually separated ‘org’. All access requests are separated with clear role based access and transactions accompanied by “org ID” that prevents access to other company’s information. Find out more information on the Salesforce platform security measures and certifications at https://trust.salesforce.com.+ View answer
Sage has a project team who are focusing on the implementation of GDPR, and which is endorsed by the Sage Board. In addition, Sage has robust governance procedures in place to manage the implementation of GDPR including a Data Governance Committee comprising many key stakeholders to ensure all areas of our business will be ready for GDPR from the date of enforcement in May 2018. Learn more about Sage GDPR preparations. For more information see sage.com/gdpr.+ View answer
In the unlikely event of a breach, Sage has established a global incident reporting policy and supplementary procedures, supported by Sage's risk team, enabling consistent rating and internal escalation (as required) of incidents, including those which may involve personal data.+ View answer
More information on the GDPR can be obtained from;
The text of the GDPR: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
The UK’s regulator the Information Commissioner: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
The EU guidance form the Article 29 working party: http://ec.europa.eu/newsroom/article29/
Take a look at our full list of frequently asked questions about the incoming GDPR.
Here you’ll find a range of resources with more information to help you on your way to being GDPR ready.
The information contained in this webpage is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers and prospects making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.
While we have made every effort to ensure that the information provided on this website is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.