Five ways HR can lead the way with GDPR

While the General Data Protection Regulation (GDPR) brings risks and eye-watering penalties for non-compliance, it also brings great opportunities for firms that use it to build a healthier, more effective relationship of trust with customers and employees around data. Barry Stanton, partner at law firm Boyes Turner, outlines five ways HR can lead the way with GDPR.

The GDPR presents significant challenges and opportunities to the business community, with potential fines of £17 million for those who do not comply.

However, within those challenges it provides an opportunity for proactive and talented HR professionals to demonstrate their true worth to a business.

The UK Government recently announced its intention for a new Data Protection Bill, which will bring the EU's GDPR legislation into UK law.

HR can be the leaders, by example and expertise, in the steps needed to ensure mere compliance with GDPR gives way to a bigger opportunity to transform the relationship businesses have with both current and prospective customers' data.

They can also help achieve the holy grail of "privacy by design and default", which is outlined in the proposed legislation, with GDPR becoming a catalyst for positive change.

But there are only nine months to go before this goes from theory to cold, hard practice. So how can HR lead the way?

1. HR teams are used to handling data and data requests

You will have already trodden the path to data compliance, and even if you are not 100% compliant yet, you are already familiar with the major tenets of data protection.

While you will need to ensure that you have secured compliance with GDPR, this also presents an opportunity to take the lead in compliance in your business.

HR professionals can use this as a way to showcase their expertise in data issues, leading by example with personnel data and then helping the business deal with customer data handling.

You can help the business identify the issues, and then help solve existing problems and anticipate those that will arise later.

2. Robust policies and staff training are your domain

Securing privacy by design and default requires much more than compliance. Having secured the systems, there need to be policies in place that everyone can follow.

This will need to be at a straightforward and basic level to ensure that it is easy to understand and apply. HR teams are used to writing policies to secure compliance by the workforce.

You have significant experience drafting and using policies, testing them to ensure that they work in the manner intended.

By ensuring you are using acquired knowledge and experience in not only drafting policies but training staff to understand and adhere to policies, you will greatly assist the business to be ready for GDPR.

3. Bring your risk management expertise to the fore

Not only do HR teams draft, review and revise policies, they are at the forefront of dealing with risks posed by employees and use of data.

That puts you ahead of the business, where many managers will rely heavily upon HR's expertise and understanding of people and their habits.

By using acquired knowledge of data and employee behaviours, you can help the business develop a holistic approach to the implementation of GDPR compliant strategies. HR can lead the planning and development of strategies for the entire business to mitigate risk.

It will be vitally important to document and demonstrate succinctly and clearly that the business has complied with its GDPR obligations in order to mitigate any risk of fines.

4. HR can build in agility and resilience

The work should not end with simple risk analysis. HR should also use its understanding of the organisation to help to design in agility and resilience, helping teams most impacted by new ways of working to avoid or minimise risk and to consider the wider current and future implications of GDPR.

In a world where subject access requests may become more prevalent and fines will be punitive, you can find ways to ensure that the business is able gear up to deal with the need to respond more quickly to what will inevitably be the more numerous requests.

No longer will it be good enough to muddle through. There will need to be clear and well-defined paths of communications. All involved will need to understand their roles and responsibilities.

5. HR can enhance employees' skills and capabilities

Finally, you are best placed to really embed all of this by enhancing employees' knowledge and understanding of data privacy matters.

Training will be essential to provide employees at all levels with the requisite skills and capabilities to operate effectively in a GDPR-compliant environment, really understanding their obligations and the consequences of falling short.

You have a unique and pivotal role in turning a regulatory change into an opportunity to embed a cultural change within the fabric of the business and the minds of employees. By championing privacy "by design and default", HR can seize the upside of GDPR.