The General Data Protection Regulation (GDPR) comes into force on the 25th of May and with it a host of new rules on how businesses collect, process, store, protect and dispose of data. (See also: GDPR tips to ensure compliance.)
These rules will apply to any company that handles the data of EU nationals, with failure to comply resulting in fines of up to 4 percent of your annual global turnover.
Under GDPR the rights of the data subject and the responsibilities of the data processors and controllers have been strengthened with the objective of better protecting an individual’s right to privacy.
One of the areas that will come under the most intense scrutiny is human resources.
Here are four ways in which HR departments will be affected by GDPR.
While HR professionals have always required consent to collect candidate or employee data, the definition of consent is changing and needs to be “specific, informed and unambiguous”.
As well as that what constitutes personal data has also been expanded and now includes information such as IP addresses as well as bank details, phone numbers, etc.
There needs to be full transparency in terms of the type of employee data held and its purpose. As well as records of how it was obtained and why it’s lawful .i.e. Does it fall under the legitimate interest category? Is processing the data necessary to fulfil terms of a contract to which the subject is a party?
The data subject also has the right to request access to all information held by the company pertaining to them. Once the request has been made the data needs to be shared within 30 days, free of charge.
The candidate also has the right to withdraw their consent at any time and request that any personal information be removed from the company’s possession.
This means that hiring managers need to have a clear record of consent as well as data processing activities. They also need to be able to explain why certain data is being collected and held and show that the information is being used in line with its intended purpose.
For example, if a candidate emails you their CV you may not use their email address to send them marketing or sales materials.
When it comes to compliancy, the onus of proof lies with data processors and controllers so HR departments need to have clearly defined the medium and rationale for obtaining and storing data.
With cyber attacks becoming more frequent and sophisticated, GDPR aims to make companies more accountable for data theft.
Any breaches in security or privacy need to be reported to the affected parties within 72 hours of becoming aware of the incident.
HR departments need to have clear processes in place when it comes to identifying breaches and reporting them within the deadline.
One key element of ensuring GDPR compliancy is to safeguard who can access personal candidate or employee information.
HR teams should explore ways in which they can ensure the ultimate security of sensitive data.
Encryption is one possible means or introducing a series of rigorous authentication procedures such as three tiered password systems. This way you’re limiting the possibility of attacks or information being accessed through negligence.
HR departments can no longer store personal data indefinitely. There needs to be a reasonable and justifiable cause to retain data.
Strong policies on why candidate information may be stored after a role is filled need to be established. Also, consider how you communicate this to prospective employees.
Perhaps their data is saved in case they may be suitable for a future opportunity. An email explaining your policy and seeking consent can cover your bases.
As a data controller, you may also be liable for third party data processors who handle personal data on your behalf.
HR professionals need to do a stock take of what software or platforms they use and ensure that they’re GDPR compliant.
Also important to note is that no platform automatically makes you compliant, only your policies do.
So while some systems may help you to better manage your data, they cannot make you compliant simply by using them.