In our hyper-connected world, data is everywhere. You can find it on the private and public cloud. It passes through local, social, private and professional networks. It is exchanged between applications, services, devices and connected objects. It is collected in Big Data reservoirs. It is a precious and valuable commodity. Data is the new black gold. Personal data is becoming increasingly accessible to companies and professional data is exposed to cyber threats. Within this context, the legal framework needs to be reinforced.
The General Data Protection Regulation, which will take effect on May 25, 2018 aims to standardize the rules for data protection in the European Union. This is the most important reform of European legislation concerning personal data protection in the past twenty years. This reform affects all the departments within a company and especially Human Resources. Though this project may be handled in some companies by other departments, the HR department is directly affected by the processes and solutions based on personal HR data.
HR collects, processes and stores large volumes of sensitive personal data as part of its activities. This begins when recruiting applicants and continues throughout the employee lifecycle (and includes the extended workforce such as temp workers, freelance workers, self-employed workers, etc.) The data is processed in a number of ways: it is viewed, modified and distributed on a variety of media, such as software, files, hard copy, etc.
New rights and greater transparency
The new regulation goes beyond just covering rights for accessing or rectifying data, it will provide the people concerned with clear, intelligible and easily accessible information on the processing of data, not only when this data is collected, but also at a later time. All data related to the employee and stored by the company must be justified. Therefore, only data strictly necessary for processing can be collected and used. Also, for some data (such as medical information or union membership), explicit prior consent is required from the employee. Such consent is not final. Employees can withdraw it.
The company must prove that it has obtained consent. This increased transparency also requires that, in the event of a data breach, the employees have to be notified within 72 hours.
The new rights include the right to be forgotten (also known as data erasure) concerning data that is no longer required or when the employee has withdrawn his or her consent. For example, data for applicants that were not selected must be quickly deleted, unless the applicant has given his or her consent. Also the data concerning employees that have left the company can only be stored for a limited time.
Another right, the right to data portability, increases an individual’s control over his or her own personal data. They must now be able to retrieve the data they provided, in an easily reusable format, for personal use or transfer to a third party.
The regulation also covers “profiling”. This may concern data that is used to provide personalized information to employees based on their context or their interests. A company must now conduct a data impact assessment whenever profiling is implemented.
The main HR projects to ensure compliance
To comply with the GDPR, HR departments will have to not only identify and locate the personal data for employees and applicants, keep them informed, ensure the security of the data, manage authorizations and make sure that the rules for storing each type of data are compliant with legal and regulatory requirements, but also try to heighten awareness among all people handling this data. This also applies to the sub-contractors the employer uses for HR projects (recruiting agencies, for example).
Identifying personal data and how it is processed
HR departments must first identify the personal data they hold. This data mainly concerns active employees, employees that have left the company (and that have a history recorded in HR applications) and applicants. They must also identify the categories of data processed, such as common personal data (marital status, family status, CV, degrees, training and login data) and more sensitive personal data (social security number or bank data). In addition, HR needs to check whether certain types of data are liable to present a risk due to their sensitive nature (for example: data concerning health).
This should allow companies to reduce the amount of data collected. It must be determined whether the data is really essential. Is the data really collected and stored for specific, explicit and legitimate purposes? Has the data been deleted once the objective has been reached?
Once the data has been identified, the associated processing must also be identified. The new regulation requires that, for each type of data processing, a description must be given of the purpose, the storage time, the categories of people involved or the categories of data involved. This information must then be recorded in a register of processing activities.
Implementing measures to protect personal data
The GDPR states the responsibility of companies processing personal data. Companies must therefore make sure that all measures have been taken to ensure the confidentiality of employees’ and applicants’ personal data and avoid disclosure to unauthorized persons.
The HR departments will have to review the legal aspects of the processing employees’ and applicants’ data (consent, contracts, legal obligations) and the associated documents (work contracts, internal regulations). If the employee has given their consent, then the data must be stored.
New rules for implementing the rights of the people concerned (right to access, control and rectify data, the right to data portability, the right to withdraw consent) must be provided for. Storage times and deletion procedures must be defined for each type of data. Once a company no longer needs data, this data must be deleted.
IT and HR departments must work together to ensure the security of systems containing personal data by applying the principles of privacy by design and privacy by default. These principles involve ‘pseudonymizing’ (a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms) and all measures minimizing and limiting access and storage.
Aside from just technical measures, HR must also take into account organizational measures such as accessibility to HR department premises.
Also, if the processing of data increases the risk of adversely affecting the rights and freedoms of individuals, then a Privacy Impact Assessment (PIA) must be conducted and, if necessary, the ‘local data protection regulation’ must be contacted. Such assessment is required for data related to health, video surveillance of public places and profiling. It examines the conditions for collecting and processing data liable to present significant risk for the rights and freedoms of the people concerned. A PIA is one of the supporting documents to be kept and used by a company to show its compliance in the event of an examination by a supervisory body.
Documenting, communicating and training
It is the responsibility of the HR department to inform and train a company’s employees (including temp workers, free-lance, employees on assignment, etc.) on the new points of the GPDR. A company must inform them of new or updated rights such as right to erasure, the right to a limited processing and the right to data portability. It must also anticipate requests to access personal data since any employee can now ask for access. The company must provide a response within a month.
These are all points that HR needs to focus upon, even if the project is managed by another department within the company. The GDPR may be an opportunity to reassure employees on how their data is processed and ensure trust in digital transformation.