Latecomers: How to comply with the PDPA?
1. Recruit or appoint a Data protection Officer (DPO):
This new profile has the mission of managing the compliance of the organization but it is also the privileged interface between the PDPC, the company and the subcontractors.
2. Make an inventory of the processing of personal data:
* Identify personal data, sensitive data and their flows.
* Identify existing treatments and verify their compliance.
* List who has access to this data and identify the reason why they have access to it.
* List all the treatments analyzed in the register of treatments.
* Identify and control subcontractors and external service providers working from the company’s personal data and review subcontracts.
* Verify that the processing applied by the subcontractors/service providers, in paper and/or digital format, complies with the PDPC (access, informed and unambiguous consent of the data subject and retention period).
* Take stock of archiving practices and retention periods for HR personal data.
* Ensure hr and HRIS solutions comply with the PDPA
3. Implement a corrective action plan
4. Inform employees and obtain their consent
Beyond the constraint it seems to represent, the PDPA can contribute to improving the company’s performance, but also the trust and well-being of employees, provided that tools, methods and processes are streamlined.
The digital transition has already considerably disrupted the field of HR activities in recent years. Compliance accentuates this transformation, pushing decision-makers to optimize processes and pay particular attention to HR information systems. Thanks to these new priority challenges, HRDs will be able to decompartmentalize their organization, strengthen the quality of their cooperation with their suppliers and subcontractors. And with the clear personal data management policy, take care of their reputation and the attractiveness of their employer brand.