Six implications of GDPR for HR
Nobody will escape the fact that there is a new, stricter European data act coming into force next year. On 25 May 2018, the General Data Protection Regulation (GDPR) will build upon the existing data protection regulation act, imposing stricter rules on how companies handle data. The introduction of GDPR will change how organisations can store and use personal information. And, of course, this will also have a repercussion on corporate HR policy. José Alberto Rodríguez Ruiz, Privacy Officer at Cornerstone OnDemand, highlights the six main implications of the new law for HR.
1. No more saving
Under the new regulations, organisations may keep personal data only for as long as necessary. For example, in an application process, the data of candidates who are not employed should be deleted shortly after recruitment process, unless candidates have given explicit consent. Also, the data of employees who leave a company (by resignation, because they have found another job or have been fired) may only be retained for a limited amount of time, which will certainly effect the offboarding procedures of many companies. 'Delete employee data' must be completed with the drop-down list of 'hand in work phone', 'unsubscribe lease subscription' and ‘hand in key'.
2. Information must be targeted
Employers may only request data from potential employees if it is necessary. For all other forms of data collection, explicit permission must be requested. A critical look at the current application procedure is therefore essential. For example, is information needed to make a proper assessment? The same applies to the data of current employees. Any data companies hold on their employees must be for good reason. Previously, companies would collect generic data like civil status, number of children, driving license etc. But now It will be more difficult to justify collecting data not directly related to the role or management of the employee.
3. Provide transparency and accountability
As of May 25, 2018, companies are also required to provide insight into how and where employee data is stored and processed. For information that requires employee permission, their consent must also be held by the company. This is not final, employees have the right to withdraw their permission. It should also be made clear who has access to what data. To make this transparency possible, companies must critically review their current architecture of stored data. Does the current way of archiving meet the stricter requirements, or should processes change? In particular, companies will have to document and prove how they comply with the new law.
4. Use data only for your intended purpose
HR departments not only are limited in the amount of data they may ask from employees or applicants (see the second point), they may use this information only for the purpose for which it is requested. Provided explicit consent has been given. This may hinder a company’s ability to maintain a talent pool. Storing personal contact information for use in the future without permission is not permitted by the new data act.
5. Track data
The obligation to keep personal information up to date also has consequences for HR. Data changes from staff (removal, job changes etc.) are usually kept. But what about performance assessments? Are there any performance interviews and if so, are they centrally stored, or are they reviewed in a different way? Whatever form is used, HR must ensure that the right tools are available to keep the data in a simple and useful manner.
6. Data protection
One of the main goals of the new European Data Protection Act is to ensure the protection of personal data. This means that data must be stored safely and securely. Internally, data security must be well-organised too: only a limited amount of people should have access to the confidential information. Close collaboration with IT is necessary to find the right balance between data retrieval and how to protect that data from external threats. Externally, if sub-contracting or sub-processing is used (for example, through the cloud) companies must select a provider with adequate guarantees (in particular security of the data). They must have a contract covering all required aspects of the sub-contracting / sub-processing, ensuring support of the provider in case of incidents, and ensuring the capacity to recover the data and have it deleted at the end of the contract. Companies may have to review their current ecosystem of providers, guarantees, and the contracts they have in place to comply with GDPR.