When the new regulation comes into effect, the HR department will be responsible for the personal data it collects on applicants as well as current employees.
In just over six months’ time the General Data Protection Regulation (GDPR) will be enforced – 25th May 2018 to be exact. We’re quite far through the transition period since the regulation was approved by the EU Parliament, and whilst this new regulation can seem overwhelming, organisations must prepare now or face hefty fines when the regulation comes into force. On a positive note, GDPR requirements are good data hygiene and best practices for data management, and help to limit or diminish risk related to data, surely in the case of a cyber-attack, but also by pushing to improve the quality of the data, and therefore, the value of the data.
The aim of GDPR is to protect EU citizens when their personal data is processed, by keeping it safe and secure and avoiding misuse. Companies are indeed beginning to take action. Some, like the UK pub chain Wetherspoons, are even taking the rather extreme measure of deleting their entire database of customer’s email addresses (Wired 03.07.17). So far, businesses’ focus has predominantly been on ensuring to protect client and customer data, but companies can’t afford to forget that the same rules will also apply to employee data, and that includes potential employees and candidates.
So, what does this mean for HR? When GDPR is enforced, companies will be able to collect personal data on applicants, but only data points that are necessary for the application process, having a major impact on the application process and assessments. For any further data, companies will have to ask for explicit permission and any information provided can only be used for the express purpose it was requested. If the person doesn’t get hired, all the information must be deleted. Likewise, all data collected and stored on current employees must be justified and relevant to the management or role of the employee. Companies must have consent for any data that requires employees to grant their permission (which employees can withdraw at any time) and if an employee leaves the company, for whatever reason, their personal data must also be deleted.
In companies that are processing thousands of data points, being compliant requires meticulous preparation. It can be a rather daunting prospect, but it is never too late to begin, and we recommend approaching GDPR compliance for your employee data in three simple steps. Oh, and you are surely not starting from scratch, many companies have data management processes in place already.
Step one: Privacy by design
The concept of privacy by design is about including data protection requirements when designing systems and processes. To be GDPR compliant, it’s easier to create a new process or system designed with the requirements in mind, rather than “fixing” it later on.
My tip is to start with the data, not the process, and document the justification for those data points. Different territories will require different data points – so it’s important to understand cultural requirements as part of this process. For example, in Germany you must declare your religion, as Church members are required by law to pay tax to fund the church. If an employee indicates membership to a tax-collecting religious community, the employer must withhold ‘church tax’ from their income.
Then, review the processes which relate to the data you really need, and incorporate the privacy requirements and the user rights within those processes.
This will be facilitated by having a clear view on all your data. It’s more efficient to build out and design processes around the data you need, rather than tweaking old processes to fit with new regulation. This is also a perfect opportunity for a good clean-up and you will get the added bonus of demonstrating compliance with the data minimisation principle.
Step two: Privacy impact analysis
Privacy by design could be a lot of work, so how do you prioritise? Conduct an audit of the processes and data you collect and the ‘treatment’ of this data, and perform a gap analysis and identify where higher risk sits. For example, if I were to suffer a data breach, which dataset would generate the worst consequences? Learning transcript or compensation data? You should start with those.
Also, review any data that may be collected automatically, you are equally responsible for the resulting actions of an automated process as well as a manual one.
An audit will help identify any points of weakness and areas of risk – but we are not done yet. It is also important to keep conducting these audits on a regular basis to ensure the quality (and compliance) of the processes is maintained, as well as adapting these to any further legal changes.
Step three: Establishing accountability
The third step is about closing the circle. Businesses need to provide full transparency, including on where employee data is stored and how it is processed, making it clear who can access what data. Once the datasets are clean and the processes have been reviewed and adapted, you now must document and prove how you are compliant. This is called the accountability principle, and essentially translates into documenting the datasets (and how they comply with the data minimisation principle), and documenting your processes (and how they implement privacy requirements and allow users to exercise their rights).
Step three and a half: So, who does all this?
Many companies are appointing general Data Protection Officers who are required to work closely with all departments, but we are now seeing a new role within HR departments. It is in HR’s interest to have a data privacy specialist “in-house”, who works closely with the Data Protection Officer to ensure compliance. Data privacy requires legal knowledge, technical knowledge and business knowledge, and such an expert would provide the much-required expertise around both the local laws and the HR processes of the company.
GDPR is not a straight-forward regulation and it’s important HR prepares now if it hasn’t already. It demands a rethink of certain processes and a review of personal data handling and housing. Even with these three steps in mind, it can feel intimidating to start the process. But I truly believe that the effort pays off with the higher quality of the data, more efficient processes, less risk of fines and penalties, and (much) better employer brand and employee motivation. You want your employees to feel safe and focus on their work, so you need to make sure that their personal data and information is secure and protected.
Compliance is a process, and data protection a culture: once in place, is a very powerful and effective tool.