Onboarding and offboarding
Procedures for onboarding and offboarding
It can be good for companies to establish procedures for onboarding and offboarding employees.
What are the procedures for onboarding and offboarding?
Procedures for onboarding and offboarding are about having procedures that describe permissions and things to think about before new hires and when employees leave. In addition, procedures usually include information about what equipment the employees receive at the start of the employment and requirements for these to be returned.
Not everyone at the company usually needs access to all personal data
Just because a company processes certain personal data, it does not mean that everyone in the company should have access to them. It is important to analyse who needs access to which personal data in order to perform their tasks. For example, a financial manager usually has access to more personal data than other employees. Such as information about all employees’ reported sick leave, in order to be able to pay and report the correct salary.
Do businesses have to have procedures?
There is no direct requirement that explicitly regulates this as a requirement of the GDPR. But according to the principle of accountability in Article 5(2) of the GDPR, companies must be able to demonstrate that they comply with the regulations. This can be proven by the fact that the company has created and implemented written procedures. If the company has not done this, the risk increases significantly that the company will violate the GDPR. For example, if the company receives a request from a data subject to have a right fulfilled, and the employees do not know how or when to respond in accordance with the GDPR. Procedures create structure and can both streamline GDPR work and help the company comply with the rules in the regulation.
Complement written procedures with oral information
It is of course good with written procedures and written information to employees during on- and offboarding. However, it is even better if it is supplemented with oral information. In other words, that the staff is informed about what applies orally, to further ensure that they know the procedures and apply them in practice.
Onboarding: When new employees are welcomed and schooled
Onboarding is about welcoming and training new employees in the work. It is an important internal procedure within a company. Furthermore, it is good to include information about GDPR in the procedure, as there is a risk that GDPR will not be complied with otherwise. Most employees usually work with some form of personal data processing as part of their tasks.
What is good for an onboarding procedure to include?
Role and needs analysis
It is important to first carry out a needs analysis, to find out who needs access to which personal data, systems, etc. It is good to have this documented, so that it is easier to know what the new employees need.
Creating accounts
New employees often need access to the company's various IT systems and digital tools in order to manage their tasks. For example, they may need a work-related email address and a login to the CRM system. It is good to inform employees about the rules surrounding these accounts.
Equipment
It is common for employees to need some form of equipment to be able to perform their duties. Therefore, it is good to have a checklist in the procedures so as not to forget anything and know what all employees have received. For example, work computer, mobile phone, access card, login to various systems, etc.
Education
It is always good to provide new employees with appropriate training, including on GDPR, when they start working. This helps them to carry out their tasks in accordance with internal instructions and applicable legislation.
Safety procedures
Introduce new employees to security practices by showing how everything works in practice. For example, how to protect their workstation in practice, things to consider when working in open environments, password management, reporting suspected personal data breaches, etc.
Offboarding: What happens when employees stops working at the company
It is important not to forget to regulate what happens when an employee stops working at the company. For example, when the person’s access to systems should be revoked and what equipment they should return, as well as when and how it should be done in a secure manner.
Content that can be good to regulate in an onboarding procedure
Access management
It is important to terminate the person's access to the company's IT systems, digital tools, etc. immediately upon termination of the person's employment. Therefore, it is good to regulate this in an onboarding procedure, as it can be easy to miss important actions otherwise. For example, turn off access to email accounts, terminate access to internal systems (such as cloud services) or internal communication groups and the like.
Return
Make sure it says what is to be returned to the company. For example, equipment such as work computer and telephone, who should receive, check and clean the returned devices, etc.
Documentation checklist
It is good to have a checklist to document the important steps in the offboarding process. This reduces the risk of something being forgotten. For example, the employee responsible for the offboarding process should tick boxes as activities to be carried out.
Learn more
Procedures for sharing data internally
It is common for employees within the business to share personal data internally between each other, and therefore it is good to have procedures for this. In addition, many of the internal data sharing processes occur quickly and under time pressure, which can lead to simple mistakes. By having written procedures, companies can help prevent mistakes and incorrect personal data processing. Please note that it is good to regulate the oral sharing of personal data as well. For example, employees should not talk about anything sensitive or mention personal data in public environments where unauthorized persons can hear the information.